Another week, another enforcement action from the Federal Trade Commission to remind the rest of us what steps we should take to protect consumers’ personal data. This time the company going to the woodshed is Chegg, an education tech company that lumbered along for years with poor data protection practices.
Chegg provides textbooks, study aides, online tutoring, and other education services to the public. The company has been around since 2005, and been growing briskly in recent years: from $321 million in annual revenue in 2018 to $776 million in 2021. That’s a lot of growth, which means a lot of data collected from customers — which brings us to the FTC’s enforcement action, announced Monday.
According to the FTC’s complaint, Chegg has suffered four data breaches over the last five years that exposed the personal information of customers and employees. In the first attack (September 2017), multiple Chegg employees fell for a phishing attack that let a hacker gain access to employees’ direct-deposit information. Less than a year later, a former Chegg contractor used login information the company shared with employees and outside contractors to access one of Chegg’s third-party cloud databases containing personal data for roughly 40 million customers. The exposed data included names, email addresses, passwords, and for certain users, sensitive scholarship data such as dates of birth, parents’ income range, sexual orientation, and disabilities.
Chegg then suffered two more breaches in the ensuing years, both of them phishing attacks that successfully targeted employees.
The weak security practices alleged by the FTC are issues we’ve heard many times before:
- Flubbing basic security practices, such as not requiring employees to use multi-factor authentication to access important data and allowing groups of employees and contractors to share a single log-in account.
- Storing information insecurely. At least into 2018, the FTC says, Chegg stored personal data in the cloud in plainly visible text rather than using encryption; and allowed weak password policies to access that data.
- Inadequate security training and testing. Employees fell for three phishing attacks before Chegg finally improved its training program and implemented a written security policy in January 2021.
The enforcement action against Chegg is part of a larger crackdown the FTC has been pushing lately. The agency specifically warned education companies earlier this year to be careful in collecting data from young children, and wants to adopt more rules about lax data security practices sometime soon.
Plus, we just had an FTC enforcement action against online liquor store Drizly.com for its poor security practices, with a consent order that even extended to Drizly’s CEO personally should he take another job elsewhere.
Clearly the FTC wants us to think long and hard about good security practices. Let’s do that.
Basic Cybersecurity Practices Gone Wrong
The allegations in the FTC complaint make for painful reading. Among the many mistakes in information protection that Chegg made:
- The company stored customer data, including highly sensitive personal information, on an Amazon Web Services database in plain text, rather than encrypting the information.
- Chegg also allowed multiple employees and outside contractors to use a single, shared access credential to access huge troves of data the company stored on that AWS database, instead of requiring each user to have his or her own set of credentials.
- The company left its email applications in a default setting, which allowed users to bypass multi-factor authentication requirements. When a senior executive then fell victim to a phishing attack in 2019, the attacker then had a clear path to rifle through the executive’s email archives, which contained personal health and financial information of Chegg employees.
- Chegg didn’t require employees to complete any security training until April 2020. By then the company had already suffered two phishing attacks and the 40 million customer breach in 2018. In April 2020, the company’s payroll director fell victim to another phishing attack that allowed an attacker to exfiltrate employees’ W-2 information. Only after that incident did security training become mandatory.
What strikes me most is that these mistakes all trace back to basic, basic failures in cybersecurity:
- Using multi-factor authentication when trying to access third-party databases, or when accessing company databases from off-site;
- Role-based access control, so employees only get to see the confidential data they need for their jobs and no other; and so that former employees (or third-party contractors) swiftly see their access cut off when no longer working for the company;
- Encryption of all confidential data, including data at rest;
- Required employee training.
These practices are all standard-issue for a host of cybersecurity frameworks, and for compliance with a host of data privacy regulations. The clear reminder here is simply that you need to use frameworks to achieve privacy and security compliance.
Like, every sensible practice you need to have in place is in those frameworks. Find a GRC or risk management tool to map out your compliance obligations — because so many of those regulatory obligations overlap among HIPAA, PCI DSS, GDPR and other regulations — and then go about the chores of putting proper controls in place. That work might be extensive and exacting, but it’s not any great mystery. You just need to slog through it.
The Proposed Remedies
The FTC’s consent order against Chegg isn’t all that surprising either. As usual with FTC orders, Chegg will go along with the agency’s findings and settlement terms, but neither confirms nor denies any of the allegations against it. The consent order will be out for comment for 30 days, and will likely go into effect shortly thereafter.
The improvements Chegg needs to make include:
- Adopting a data retention schedule, including provisions for deleting any data that Chegg no longer needs for business purposes;
- Implementing multi-factor authentication for all employees and contractors, which can’t include any phone-based methods; and also offering multi-factor authentication to Chegg customers;
- Implementing technical measures to monitor Chegg’s corporate networks for threats and breaches;
- Taking an annual inventory of all IT assets and inspecting them for proper security and configuration;
- Performing security due diligence on any acquisitions before the deal closes;
- Encryption of all sensitive data;
- Testing of all security safeguards at least once a year, and within 30 days of any significant cybersecurity incident;
- Comprehensive security assessments performed by a qualified, independent third party every other year.
If all this sounds familiar, that’s because those terms are very similar to what the FTC imposed against Drizly.com just last week. Indeed, any compliance officer, internal audit chief, or CISO looking for clues about what the FTC wants to see for an effective data protection program — look at these two settlements closely, and then be sure your company does those things before the FTC turns its eyes to you.