Data Security: It Pays to Ignore

With last week’s FTC order and yesterday’s earnings call, it is time to put the four and half year description of Chegg’s data breaches to bed. When it comes to data security, it appears that it pays to ignore – from a financial perspective, it was the right decision to deny, delay, and (mostly) ignore the data breach issues. [full-page audio link]

The quick recap is that in September 2018, Chegg announced a data breach that occured in April of that year, potentially exposing personal data for up to 40 million registered users. By late 2019 much of the data was showing up on the dark web. In 2019, the Federal Trade Commission jumped into the fray, noting that Chegg had had at least four separate data breaches, all due to lax data security processes, and last week the FTC issued an order based on its review. Below is a recap of the coverage at e-Literate and PhilOnEdTech.

Last week the FTC issued a press release and order concerning Chegg.

The Federal Trade Commission has finalized its order with education technology provider Chegg Inc. for its careless data security practices that exposed sensitive information about millions of Chegg’s customers and employees, including Social Security numbers, email addresses, and passwords.

In a complaint first announced in October 2022, the FTC said that Chegg failed to protect the personal information it collected from users and employees. For example, the company stored users’ personal data on its cloud storage databases in plain text and, until at least 2018, employed outdated and weak encryption to protect user passwords. As a result of its poor data security, Chegg experienced four data breaches that exposed the personal information of about 40 million users and employees, including users’ email addresses and sensitive scholarship data such as their dates of birth, sexual orientation and disabilities, as well as financial and medical information about Chegg employees.

The FTC’s order requires Chegg to implement a comprehensive information security program, limit the data the company can collect and retain, offer users multifactor authentication to secure their accounts, and allow users to request access to and deletion of their data.

After receiving only one substantive comment, the Commission voted 4-0 to finalize the order with Chegg and send a letter to the commenter.

To their credit, Higher Ed Dive has been covering this story based on the FTC involvement.

Yesterday, Chegg held their earnings call releasing Q4 and full-year results for 2022, and there was nothing about the FTC order. Nothing in the prepared remarks for the call, and nothing in the Q&A session with financial analysts. The data breach and the FTC order represent an end to this lightly-covered story, unfortunately.

And yet I’m sure we’ll hear plenty of EdTech conference sessions on data privacy and data security this year, despite this lack of coverage of a real-world example. Hell, “privacy and cybersecurity awareness” was issue #2 for the Educause Top 10 IT issues for this year, but no acknowledgement of the Chegg case study. Thus ends the complaints on this subject, if I can help myself.