Updated on 2022-11-06: FTC takes action against Chegg for several data breaches
Federal Trade Commission: The cogs of government turn slowly, but the FTC seems to be chugging along — dare I say it, even gaining pace as the quartet of commissioners ramp up their enforcement action of companies doing, well, bad things. The latest is book rental and online learning giant Chegg, which had four security breaches since 2017, per the FTC this week, which was the result of “careless” security practices that exposed 40 million users’ personal information, including sexual orientation and religion. The complaint [PDF] is eye-watering. It’s the latest action by the regulator this year and specifically for data security issues, including Drizly, Vonage, and a U.S. data company that exposed millions of Americans’ mortgage and financial files. Read more:
- FTC Takes Action Against Drizly and its CEO James Cory Rellas for Security Failures that Exposed Data of 2.5 Million Consumers
- FTC Action Against Vonage Results in $100 Million to Customers Trapped by Illegal Dark Patterns and Junk Fees When Trying to Cancel Service
- FTC Brings Action Against Ed Tech Provider Chegg for Careless Security that Exposed Personal Data of Millions of Customers
- FTC settles with data analytics firm after millions of Americans’ mortgage files exposed
- FTC Accuses Chegg Homework Help App of ‘Careless’ Data Security
This just in:
FTC accuses Chegg, the popular homework help app, of "careless" security practices that exposed the personal data of 40 million users, including details on some students' religion, sexual orientation + disabilities.https://t.co/83ycBnoGvz— Natasha Singer (@natashanyt) October 31, 2022
"The agency said a former Chegg contractor was able to use company-issued credentials to steal the names, email addresses and passwords of about 40 million users in 2018" including sensitive details in certain cases. "Some of the data was later found for sale online." #edtech https://t.co/uxIFR8q54h
— Frank Catalano (@FrankCatalano) October 31, 2022
Updated on 2022-11-02: FTC settles with Chegg
The US Federal Trade Commission sued and reached a settlement with ed-tech company Chegg for its repeated failure to secure its platform and for suffering four security breaches over the span of the last five years. The proposed FTC settlement requires Chegg to limit the data it collects from users, offer users access to the data the company collected about them, honor data deletion requests, and implement multi-factor authentication for both customers and employees. Read more: Multiple data breaches suggest ed tech company Chegg didn’t do its homework, alleges FTC
Overview: FTC Brings Action Against Chegg for Alleged Security Failures
The US Federal Trade Commission (FTC) has filed a legal complaint against homework help app Chegg alleging that the company has exhibited a “careless” approach to cybersecurity resulting in multiple breaches of sensitive customer information. Among the issues listed in the complaint: Chegg shared an AWS access key with multiple employees and third-party contractors that allowed full administrative access to S3 databases; did not employ least privilege controls; and did not employ multi-factor authentication for access to the S3 databases. The FTC order will require Chegg to employ stronger security measures, and delete unnecessary data.
Note
- Since late 2021, the FTC has expanded its role in both setting and enforcing cybersecurity standards. The issues cited in the complaint can be mitigated by simply following well established cybersecurity best practices in the form of CIS critical security controls and CIS cloud foundation benchmarks. This order and the recent action against online alcohol marketplace Drizly and its CEO, sends a clear signal that the FTC has rightfully placed a focus on enforcing cybersecurity standards. Commercial businesses should redouble efforts in implementing a cybersecurity program that is both measurable and defensible.
- This comes after multiple breaches from Chegg, (2018, 2019, 2020), and reinforces the FTC’s new mantra of information protection being non-discretionary. Before you shrug off the behaviors above, make sure that you don’t have similar practices within your organization. If you do, take steps to remedy them. When was the last time you checked that you had adequate ACLs on your S3 buckets? How about other cloud storage? What about that temporary access for Jane from that company you were doing business with – did that get closed down after the contract concluded?
- Very few enterprises are employing least privilege access control or even have plans to get there.
Read more in
