Education tech giant gets an F for security after sensitive info on 40 million users stolen

Sloppy data security at education tech giant Chegg exposed students and workers' personal information not once but four times in various ways over four years, according to the FTC. 

In response, the American consumer watchdog today ordered the company to better protect data, including encrypting sensitive information, providing multi-factor authentication to users and employees, limiting the amount of personal information it collects and retains, and training staff on security practices. Stuff that should have been done a long time ago.

Additionally, the FTC noted Chegg didn't necessarily notify all of the 40 million users and employees whose private info was exposed during the four breaches. 

So, per an FTC order [PDF], the tech firm also has to notify "each individual whose unencrypted Social Security number, financial account information, date of birth, user account credentials, or medical information was exposed" within the next 60 days.

"Chegg took shortcuts with millions of students' sensitive information," Samuel Levine, director of the FTC's Bureau of Consumer Protection, said in a statement. "Today's order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end."

Chegg offers a ton of online educational services and products, including e-textbooks for rent, homework help, and exam preparation, primarily to high school and college students. It also collects a ton of personal data, according to an earlier FTC complaint [PDF].

What could possibly go wrong?

"For example, in connection with its scholarship search service, Chegg has collected information about a user's religious denomination, heritage, date of birth, parents' income range, sexual orientation, and disabilities (collectively, the 'Scholarship Search Data')," it noted.

This should have set off at least a few security and privacy alarms — and apparently, in 2018, it did. The FTC complaint cited an internal email from that year in which a Chegg information security employee described the scholarship search data as "very sensitive."

In addition to the scholarship search data that the tech company collected and retained, for its online tutoring services Chegg recorded videos of the students as well as harvesting the usual employment information from its workers. This includes employees' names, dates of birth, Social Security numbers, and financial information. 

The company stored all of this sensitive employee and student data in Amazon S3 buckets — and then did a miserable job at keeping intruders from potentially stealing it.

"From at least 2017 to the present, Chegg has engaged in a number of practices that, taken individually or together, failed to provide reasonable security to prevent unauthorized access to users' personal information," according to the complaint.

The laundry list of what Chegg allegedly did wrong reads like a how-to-get-breached-for-dummies book. For example, the company allowed employees and contractors to use a single AWS access key that provided full admin privileges over all data in the S3 databases. It also failed to rotate access keys to the S3 databases, and stored personal information in plain text instead of using encryption. 

Until at least April 2018, Chegg used insecure cryptographic hash functions to protect users' passwords, and it didn't even have any security standards or policies until January 2021, the complaint claims. Additionally, the firm didn't delete student and employee data after it was no longer needed. 

Finally, Chegg didn't "adequately monitor" its networks and IT systems for intruders trying to break in and steal personal information, which "led to the repeated exposure of that personal information," the FTC said.

Did we mention the four data security breaches?

Four years, four data breaches

First, in 2017, Chegg employees fell for a phishing attack, which gave criminals access to employees' direct deposit information. 

A year later, a former contractor accessed one of Chegg's S3 databases using an AWS Root Credential, and stole a database containing about 40 million users' data. This included email addresses, first and last names, passwords, and, for some users, their religious denomination, heritage, date of birth, parents' income range, sexual orientation, and disabilities. 

Later in 2018, a threat-intel firm notified Chegg that a file containing some of the stolen information was up for sale in an online forum. 

"Chegg reviewed the file as part of its own investigation, finding it held, among other things, approximately 25 million of the exfiltrated passwords in plain text, meaning the threat actors had cracked the hash for those passwords," according to the complaint. 

In response, Chegg required about 40 million users to reset their passwords. But it continued to store students' personal information in plain text, we're told.

In 2019, following another successful phishing attack, miscreants stole a senior executive's credentials and used those to access the exec's email inbox, which contained users' and employees' financial and medical information. The email system remained in its default configuration, which meant it didn't require MFA to access inboxes, the complaint said.

• FTC slaps down Drizly CEO after 2.4m user records stolen from 'careless' booze app biz
• Health insurer Medibank's data breach diagnosis keeps getting worse
• Oops, web trackers may have leaked 3 million patients' info
• Data tracking poses a 'national security risk' FTC told

Finally, the fourth breach happened in 2020, when yet another Chegg senior employee, this one responsible for payroll, fell victim to yet another phish. A crook then used the stolen credentials to access the payroll system and steal about 700 current and former employees' W-2 forms. 

Two-plus years later, the FTC has had enough. Multiple breaches suggest Chegg "didn't do its homework," the agency cleverly claimed in a blog post.

A Chegg spokesperson, however, insisted that data privacy is a "top priority" for the education company.

"Chegg worked cooperatively with the Federal Trade Commission on these matters to find a mutually agreeable outcome and will comply fully with the mandates outlined in the Commission's Administrative Order," the spokesperson told The Register, adding that the four breaches happened more than two years ago and the FTC never issued any monetary fines.

"We believe our positive negotiations with the FTC are indicative of our current robust security practices, as well as our efforts to continuously improve our security program," the spokesperson continued. "Chegg is wholly committed to safeguarding users' data and has worked with reputable privacy organizations to improve our security measures and will continue our efforts." ®