Chegg Learns a Lesson About Exposing Student and Employee Information

Educational technology company, Chegg, learned a lesson about the dangers of having lax security practices after four data breaches that exposed information about its student customers and employees and being charged by the FTC with taking “shortcuts with millions of students’ sensitive information.” The FTC complaint against the company highlighted its failure to implement basic security measures, storing information insecurely, and failing to develop adequate security policies and training. Chegg’s security breaches exposed personal information including names, email addresses, passwords, and for certain users, sensitive scholarship data such as dates of birth, parents’ income range, sexual orientation, and disabilities. The 2022 FTC order required the company to detail and limit its data collection, allow customers to request any stored personal data to be deleted, implement multifactor authentication, and create a comprehensive information security program.