Data Security: It Pays to Ignore
Author Phil Hill /4 Comments/by Phil HillWith last week’s FTC order and yesterday’s earnings call, it is time to put the four and half year description of Chegg’s data breaches to bed. When it comes to data security, it appears that it pays to ignore – from a financial perspective, it was the right decision to deny, delay, and (mostly) ignore the data breach issues. [full-page audio link]
The quick recap is that in September 2018, Chegg announced a data breach that occured in April of that year, potentially exposing personal data for up to 40 million registered users. By late 2019 much of the data was showing up on the dark web. In 2019, the Federal Trade Commission jumped into the fray, noting that Chegg had had at least four separate data breaches, all due to lax data security processes, and last week the FTC issued an order based on its review. Below is a recap of the coverage at e-Literate and PhilOnEdTech.
- Sep 2018: https://eliterate.us/chegg-data-breach-affecting-40-million-users/ – Description of the initial disclosure of a known data breach
- Sep 2018: https://marketbrief.edweek.org/marketplace-k-12/tutoring-company-chegg-acknowledges-data-breach-puts-40-million-users-notice/ Based on interview with me about the initial report
- Oct 2018: https://eliterate.us/ed-tech-cybersecurity-suppose-they-gave-a-data-breach-and-nobody-came/ – Me whinging about the lack of coverage in most of the education press on the data breach while also describing the poor security practices, including late notification to affected parties
- Nov 2019: https://philonedtech.com/update-on-chegg-data-breach-decrypted-credentials-now-leading-to-multiple-campus-security-attacks/ – Description from several affected universities and their disclosure of student information showing up on the web
- Nov 2022: https://philonedtech.com/now-chegg-might-have-to-reckon-for-data-breach/ – Description of the FTC getting involved
Last week the FTC issued a press release and order concerning Chegg.
The Federal Trade Commission has finalized its order with education technology provider Chegg Inc. for its careless data security practices that exposed sensitive information about millions of Chegg’s customers and employees, including Social Security numbers, email addresses, and passwords.
In a complaint first announced in October 2022, the FTC said that Chegg failed to protect the personal information it collected from users and employees. For example, the company stored users’ personal data on its cloud storage databases in plain text and, until at least 2018, employed outdated and weak encryption to protect user passwords. As a result of its poor data security, Chegg experienced four data breaches that exposed the personal information of about 40 million users and employees, including users’ email addresses and sensitive scholarship data such as their dates of birth, sexual orientation and disabilities, as well as financial and medical information about Chegg employees.
The FTC’s order requires Chegg to implement a comprehensive information security program, limit the data the company can collect and retain, offer users multifactor authentication to secure their accounts, and allow users to request access to and deletion of their data.
After receiving only one substantive comment, the Commission voted 4-0 to finalize the order with Chegg and send a letter to the commenter.
To their credit, Higher Ed Dive has been covering this story based on the FTC involvement.
Yesterday, Chegg held their earnings call releasing Q4 and full-year results for 2022, and there was nothing about the FTC order. Nothing in the prepared remarks for the call, and nothing in the Q&A session with financial analysts. The data breach and the FTC order represent an end to this lightly-covered story, unfortunately.
And yet I’m sure we’ll hear plenty of EdTech conference sessions on data privacy and data security this year, despite this lack of coverage of a real-world example. Hell, “privacy and cybersecurity awareness” was issue #2 for the Educause Top 10 IT issues for this year, but no acknowledgement of the Chegg case study. Thus ends the complaints on this subject, if I can help myself.
You presumably intend these comments for EdTech vendor executives who are going to view everything through the cynical prism of the financial bottom line. You should, however, perhaps also point out that the fact that vendors have little financial incentive to act responsibly and ethically with personal data only heightens the urgency for Higher Ed institutions to exercise care and due diligence in scrutinizing EdTech vendors, since those vendors left to their own devices will take every opportunity to squeeze an extra cent by acting risky or careless.
Alysa, my point is general, not specific. Yes, there is an issue of viewing too much through the financial lense, but the bigger criticism is that the higher ed community is blowing it here. Vendors have little financial incentive to protect data, and part of the reason is that HEI and HE media don’t deal seriously with this subject.
Phil, a for-profit system without proper regulation will continue to undermine itself. Even when it has the opportunity to correct itself, in most cases it will not. And that’s not likely to change with a conservative US Supreme Court. There will be some effort from good people to increase transparency and accountability, but that almost seems like a losing battle.
there were cases when acquaintances and even relatives got into difficult situations with data theft, since the security staff in all cases worked quickly and very quickly, for which we are very grateful to them! I re-read these tips and understand that I myself could get caught!