Security News > 2022 > October > Education tech giant gets an F for security after sensitive info on 40 million users stolen

Sloppy data security at education tech giant Chegg exposed students and workers' personal information not once but four times in various ways over four years, according to the FTC. In response, the American consumer watchdog today ordered the company to better protect data, including encrypting sensitive information, providing multi-factor authentication to users and employees, limiting the amount of personal information it collects and retains, and training staff on security practices.

Per an FTC order [PDF], the tech firm also has to notify "Each individual whose unencrypted Social Security number, financial account information, date of birth, user account credentials, or medical information was exposed" within the next 60 days.

The FTC complaint cited an internal email from that year in which a Chegg information security employee described the scholarship search data as "Very sensitive."

In addition to the scholarship search data that the tech company collected and retained, for its online tutoring services Chegg recorded videos of the students as well as harvesting the usual employment information from its workers.

Finally, Chegg didn't "Adequately monitor" its networks and IT systems for intruders trying to break in and steal personal information, which "Led to the repeated exposure of that personal information," the FTC said.

"Chegg is wholly committed to safeguarding users' data and has worked with reputable privacy organizations to improve our security measures and will continue our efforts." .

News URL

https://go.theregister.com/feed/www.theregister.com/2022/10/31/chegg_ftc_order/