Federal government hits millions of users at edtech firms over inappropriate security measures

CHARLOTTE, N.C. (WBTV) — The Federal Trade Commission is issuing a strong order against a popular education technology company used by millions of high school and college students.

Earlier this week, the FTC filed a lawsuit against the company, Chegg Inc. Due to its careless security measures, it exposed the personal information of millions of users, including passwords, gender, sexual orientation, household income and employee direct deposit information.

according to complainChegg allegedly failed to update and harden its security measures, even as it experienced multiple breaches dating back to 2017.

“Chegg took a shortcut with millions of students’ sensitive information,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection.[This] The order requires companies to strengthen security, provide consumers with an easy way to delete data, and limit information collection on the front end. The Commission will continue to act aggressively to protect personal data. “

The web-based company allows users to buy/rent and sell textbooks, get help with textbook assignments, use tutoring services, and conduct scholarship searches using the site.

Tay-Keara Bristol, a student at Johnson C. Smith University who has Chegg’s account, said she was frustrated to hear about the data breach.

“It’s definitely concerning because we use these sites just to get extra help in the classroom, which is hard enough,” Bristol said. “Having to worry about your passwords and your information being compromised is very concerning because you can do so many things with those passwords.”

According to the complaint, a former contractor accessed one of the company’s third-party cloud databases in April 2018 using credentials that Chegg shared with current employees and outside contractors. The former contractor accessed a database containing the personal information of more than 40 million users who used the site’s scholarship search program.

This personal information includes name, password, gender identity, sexual orientation, inheritance, family income and disability.

Additionally, the FTC noted that Chegg stores user information in plain text without proper encryption.

The complaint goes on to state that employees fell victim to phishing attacks in 2019 and 2020.

Data privacy is a top priority for Chegg. Chegg is working with the FTC on these issues to find mutually agreeable outcomes and will fully comply with the mandate outlined in the Commission’s executive order. The events in the FTC complaint relate to issues that occurred more than two years ago. A Chegg spokesman said in a statement that no fines were assessed.

University of North Carolina at Charlotte student Stephen Beckett, who used Chegg to help him with homework in the past, said he is now suspicious of using the site.

“A lot of my friends are using it, I’ve used it in the past, and it’s scary knowing that your information is public and anyone can access and gain access to it,” Beckett said.

related: UCPS parents express concern over student data breach

According to the filing, the FTC claims that until 2021, Chegg does not have any written securities policies, standards, procedures or practices. In addition, the committee said Chegg did not provide its employees with proper data security training, did not have multi-factor authentication, and stored users’ personal data after it was no longer needed.

WBTV spoke with Chris Furtick, director of incident response and security engineering at cybersecurity firm Fortalice Solutions.

“Unfortunately, it took the FTC four data breaches to act on this, but hopefully moving forward this is a lesson for other companies to ensure they provide adequate control over customer data,” Furtick said .

There are two steps users can take to protect themselves going forward, Furtick said, one is having a unique password and a credit freeze if their financial information is compromised.

“Make sure you have a unique password in there so that if there’s a breach in one of the services, you don’t expose yourself to all the other accounts,” Furtick said. “The next thing to do is to implement a credit freeze, you can do this with any of the major credit bureaus and this will ensure that no accounts are opened in your name based on information stolen from one of the credit service providers .”

The FTC asked Chegg to do the following:

  • Details and limitations of data collection: Chegg must keep a record of and follow a schedule that lists the personal information the company collects, why it is collected, and when it will be deleted.
  • Provide data access to consumers: Chegg must provide its customers with access to the data collected about them and allow them to ask the company to delete that data.
  • Implement multi-factor authentication: Chegg must provide its customers and employees with multi-factor authentication or other authentication methods to help protect their accounts.
  • Implement a safety plan: Chegg must implement a comprehensive information security program to address weaknesses in the company’s data security practices, including encrypting consumer data and providing security training for employees.

JCSU student Kobe Livingstone told WBTV that he was also hesitant to continue using Chegg because of his knowledge of the company’s history of security issues.

“I hope it gets better. I hope they take better precautions about their use, but until then I don’t think I can see myself using anything like that anymore,” Livingstone said.

Chegg issued a statement to WBTV saying it is working to improve its security measures.

“We believe that our active negotiations with the FTC demonstrate our current strong security practices and our efforts to continuously improve our security program. Chegg is fully committed to protecting our users’ data and is working with reputable privacy groups to improve our security measures , and will continue to do so. Most security requirements are already part of our operations. Any additional requirements will be in place according to the timeline outlined in our agreement with the FTC,” a Chegg spokesperson said in a statement.

Source link