Security News > 2022 > October > Chegg sued by FTC after suffering four data breaches within 3 years
The U.S. Federal Trade Commission has sued education technology company Chegg after exposing the sensitive information of tens of millions of customers and employees in four data breaches suffered since 2017.
The agency's proposed order would require Chegg to shore up data security, implement multifactor authentication to help users secure their accounts, limit collected and stored customer data, and allow customers to access and delete their data.
In April 2018, a former contractor used login information to gain access to Chegg Amazon S3 buckets containing the data of millions of users.
The FTC complaint alleges that these four data breaches were the result of several poor data security practices, including Chegg failure to implement basic security measures such as the lack of MFA support, the use of a single login for all compromised databases, and not monitoring for malicious activity).
"As a result of these failures, some of the data about Chegg's 40 million customers stolen by its former contractor was later found for sale online," the FTC said.
"Chegg's failure to protect its employees' medical and financial data was particularly problematic since this information is valuable on the open market and is used to commit identity theft and fraud."