Skip to Content

FTC Brings Action Against Chegg for Alleged Security Failures

Updated on 2022-11-06: FTC takes action against Chegg for several data breaches

Federal Trade Commission: The cogs of government turn slowly, but the FTC seems to be chugging along — dare I say it, even gaining pace as the quartet of commissioners ramp up their enforcement action of companies doing, well, bad things. The latest is book rental and online learning giant Chegg, which had four security breaches since 2017, per the FTC this week, which was the result of “careless” security practices that exposed 40 million users’ personal information, including sexual orientation and religion. The complaint [PDF] is eye-watering. It’s the latest action by the regulator this year and specifically for data security issues, including Drizly, Vonage, and a U.S. data company that exposed millions of Americans’ mortgage and financial files. Read more:

Updated on 2022-11-02: FTC settles with Chegg

The US Federal Trade Commission sued and reached a settlement with ed-tech company Chegg for its repeated failure to secure its platform and for suffering four security breaches over the span of the last five years. The proposed FTC settlement requires Chegg to limit the data it collects from users, offer users access to the data the company collected about them, honor data deletion requests, and implement multi-factor authentication for both customers and employees. Read more: Multiple data breaches suggest ed tech company Chegg didn’t do its homework, alleges FTC

Overview: FTC Brings Action Against Chegg for Alleged Security Failures

The US Federal Trade Commission (FTC) has filed a legal complaint against homework help app Chegg alleging that the company has exhibited a “careless” approach to cybersecurity resulting in multiple breaches of sensitive customer information. Among the issues listed in the complaint: Chegg shared an AWS access key with multiple employees and third-party contractors that allowed full administrative access to S3 databases; did not employ least privilege controls; and did not employ multi-factor authentication for access to the S3 databases. The FTC order will require Chegg to employ stronger security measures, and delete unnecessary data.


  • Since late 2021, the FTC has expanded its role in both setting and enforcing cybersecurity standards. The issues cited in the complaint can be mitigated by simply following well established cybersecurity best practices in the form of CIS critical security controls and CIS cloud foundation benchmarks. This order and the recent action against online alcohol marketplace Drizly and its CEO, sends a clear signal that the FTC has rightfully placed a focus on enforcing cybersecurity standards. Commercial businesses should redouble efforts in implementing a cybersecurity program that is both measurable and defensible.
  • This comes after multiple breaches from Chegg, (2018, 2019, 2020), and reinforces the FTC’s new mantra of information protection being non-discretionary. Before you shrug off the behaviors above, make sure that you don’t have similar practices within your organization. If you do, take steps to remedy them. When was the last time you checked that you had adequate ACLs on your S3 buckets? How about other cloud storage? What about that temporary access for Jane from that company you were doing business with – did that get closed down after the contract concluded?
  • Very few enterprises are employing least privilege access control or even have plans to get there.


Alex Lim is a certified IT Technical Support Architect with over 15 years of experience in designing, implementing, and troubleshooting complex IT systems and networks. He has worked for leading IT companies, such as Microsoft, IBM, and Cisco, providing technical support and solutions to clients across various industries and sectors. Alex has a bachelor’s degree in computer science from the National University of Singapore and a master’s degree in information security from the Massachusetts Institute of Technology. He is also the author of several best-selling books on IT technical support, such as The IT Technical Support Handbook and Troubleshooting IT Systems and Networks. Alex lives in Bandar, Johore, Malaysia with his wife and two chilrdren. You can reach him at [email protected] or follow him on Website | Twitter | Facebook

    Ads Blocker Image Powered by Code Help Pro

    Your Support Matters...

    We run an independent site that is committed to delivering valuable content, but it comes with its challenges. Many of our readers use ad blockers, causing our advertising revenue to decline. Unlike some websites, we have not implemented paywalls to restrict access. Your support can make a significant difference. If you find this website useful and choose to support us, it would greatly secure our future. We appreciate your help. If you are currently using an ad blocker, please consider disabling it for our site. Thank you for your understanding and support.