Now Chegg Might Have to Reckon for Data Breach

In 2018 at e-Literate, I covered a data breach by Chegg that impacted up to 40 million users. Yesterday the NY Times reported that the Federal Trade Commission (FTC) has jumped in with a legal complaint accusing Chegg of ‘careless’ data security practices that led to the breach. I’ll try my best to not make this an obvious ‘I told you so’ post . . . hell, who am I kidding? I’ll admit it. [full-page audio link]

The Background

Back in September, 2018, I described the massive breach.

Chegg – a publicly-traded provider of digital textbooks, tutoring and study guides – notified the SEC yesterday that they learned a week ago about a security breach dating back to April 2018. [snip]

Note that the company learned of the data breach a week ago, and the notifications appear to be centered on calming investors (their stock price dropped 12% based on the news). The only way that I discovered this news was through financial market notifications and their 8-K filing

Data breaches can happen to almost any company, but my complaint against Chegg was that their practices were careless, and their primary motivation for public statements appeared to be calming investors rather than transparently describing what happened and notifying schools and individual users about the breach.

The Whining

In a follow-up post a month later, I decried the lack of interest and further explored issues with hashed passwords and compliance with GDPR regulations in Europe.

It has now been four weeks since Chegg announced a data breach compromising personal information of up to 40 million users. Cue the crickets because the only coverage in ed tech press thus far is from EdWeek, which focuses on the K-12 market. That’s a shame, because if ed tech companies want a case study to help understand the implications of FBI warnings or the European Union’s new Global Data Privacy Regulations (GDPR), this example from Chegg should be illustrative. The same goes for institutions.

One year later here at PhilOnEdTech, I provided an update showing that the data had been decrypted and was showing up online on the dark web, but with Chegg continuing its deny and minimize approach.

Where is Chegg in all this year’s news? It appears that the company is continuing its approach of trying minimize the news about security breaches and primarily notify the investment community. I could find nothing in public where Chegg is notifying people of the decryption and comprise of username / password combinations.

Chegg claimed that the data breach “amounted to nothing” in an investors earnings call, and that their protocols operated in “complete and total transparency,” which I challenged.

Amounted to nothing? We now have new exposure of decrypted information with documented increase in malicious attacks. While I am not aware of further loss of information from this situation, I would not call it nothing. [snip]

Complete and open transparency? Chegg waited a week to send an email to users about the breach discovery last year and only later made a public post. And the company has made no “complete and open transparency” attempt based on the September 2019 decryption and exposure of information, according to the news articles.

This evolving story should be a wakeup call to the EdTech community to take data security more seriously, and for institutions to demand greater transparency from vendors.

The (Potential) Reckoning

Fast forward to yesterday’s NY Times story.

The Federal Trade Commission on Monday cracked down on Chegg, an education technology firm based in Santa Clara, Calif., saying the company’s “careless” approach to cybersecurity had exposed the personal details of tens of millions of users.

In a legal complaint, filed on Monday morning, regulators accused Chegg of numerous data security lapses dating to 2017. Among other problems, the agency said, Chegg had issued root login credentials, essentially an all-access pass to certain databases, to multiple employees and outside contractors. Those credentials enabled many people to look at user account data, which the company kept on Amazon Web Services’ online storage system.

As a result, the agency said, a former Chegg contractor was able to use company-issued credentials to steal the names, email addresses and passwords of about 40 million users in 2018. In certain cases, sensitive details on students’ religion, sexual orientation, disabilities and parents’ income were also taken. Some of the data was later found for sale online.

Chegg, for its part, is still playing the same tune.

In a statement, Chegg said data privacy was a top priority for the firm and that the company had worked with the F.T.C. to reach a settlement agreement. The company said it currently has robust security practices, and that the incidents described in the agency’s complaint had occurred more than two years ago. Only a small percentage of users had provided data on their religion and sexual orientation as part of a college scholarship finder feature, the company said in the statement.

The NY Times article rightly describes that the FTC action “amounts to a warning to the U.S. education technology industry.”

My interest here is not to bash Chegg, per se, but to highlight again their careless actions and applaud the FTC and NY Times for yesterday’s news. EdTech needs this public pressure to take data privacy and security seriously. And kudos to Higher Ed Dive for their coverage today.