Education technology company Chegg is at the center of a U.S. Federal Trade Commission lawsuit following four data breaches since 2017. These data breaches exposed sensitive information including the names and emails of tens of millions of customers and employees.

Chegg has become a go-to online study source for students all across the nation. The tech company specializes in providing educational material, homework help, textbook rentals, and much more to its nearly three million subscribers.

Though the company has become wildly popular among students for its educational value, since at least 2017, Chegg has made headlines numerous times for its lack of customer security. At least four data breaches have compromised the security of sensitive information its very users trust it to protect.

The FTC alleges that the company “took shortcuts with millions of students' sensitive information” and that these shortcuts ultimately resulted in weakened network security that allowed vulnerabilities to be exploited.

Chegg’s first issues with digital security came after a 2017 phishing attack on employees. As a result of the attack, hackers were able to gain access to the direct deposit information of employees.

The next attack occurred less than a year later on the company's cloud databases which were hosted by Amazon Web Services. A former employee used valid login credentials to access the company's cloud database which stored the personal information of roughly 40 million customers. The login credentials used were a single access key that gave full administrative privileges to all information stored on the database. Under cyber security best practices, such use of a single access key that offered full administrative rights over information would not be used and distributed so freely.

The data leaked in the cloud database breach was significant and exposed sensitive information which include names, birth dates, emails, passwords, and much more. According to officials, this personal and sensitive information was later found for sale in markets on the dark web.

Within the next two years, Chegg would suffer two more data breaches, both of which were the result of simple phishing attacks. These attacks further exposed customers as their financial and medical information was obtained by hackers.

While it's unfortunate, companies in all Industries and all sizes are prone to cyber security attacks. However, in the case of Chegg's security operations, the FTC alleges that they were careless in implementing the most basic security measures. Had these measures been implemented, this significant loss of data could have been avoided.

In addition to failing its customers and employees by forgoing basic security measures, the FTC alleges that Chegg stored information in an unsecured manner on its cloud databases. The FTC alleges that since at least 2018, Chegg has used outdated and weak encryption methods to protect user passwords and stored personal data on its Cloud databases. Among these weak security measures was storing sensitive information like passwords in plain text, a practice heavily discouraged in the world of cyber security.

Lastly, the FTC alleges that Chegg failed to implement adequate security policies and training among its staff. In failing to do so, employees were targeted and successfully exploited in at least three phishing attacks. Additionally, the FTC highlights that Chegg did not have a written security policy available until January 2021, nearly three years after their most significant data breach.

In its lawsuit, the FTC is demanding that Chegg take appropriate action to remedy its security failures. As part of its proposal, the FTC is seeking to have Chegg initiate and follow through on better cyber security documentation, while limiting its data collection. This documentation must detail what personal information is collected, what reason data is collected for, and when the information will be deleted.

The FTC is also seeking to have Chegg provide customers the ability to access their data and request for it to be deleted when they best see fit. Finally, Chegg is being asked to implement a comprehensive security program that would address the company's current lack of security protocols. Included in this comprehensive security program are stronger encryption of customer data, updated security training for all employees, and the implementation of multi-factor authentication for customers and employees in order to better secure their accounts.

This lawsuit against Chegg is the FTC's latest initiative to crack down on education technology companies that have weakened cyber security solutions in place. The FTC shares, “Going forward, the Commission will closely scrutinize the providers of these services and will not hesitate to act where providers fail to meet their legal obligations with respect to children’s privacy.”