In big cybersecurity news, the Federal Trade Commission (FTC) is officially taking action against Chegg Inc. for mismanaged cybersecurity that resulted in the exposure of personal data of millions of customers (reference). It’s not every day that the FTC specifically goes after an organization – and it’s worth looking at what caused the attack, what could have been done differently, and why the FTC is taking this so seriously. Let’s dig in.
Chegg is a California-based company that sells educational products and services targeted to high school and college students, including online tutoring and a college scholarship search service. They collect a wide range of personal information from their users for various services, including their scholarship service. Data collected during account setup can include dates of birth, sexual orientation, disabilities, heritage, and religious denominations, in addition to common sensitive data such as passwords and Social Security numbers.
Due to lax data security practices, Chegg inadvertently exposed sensitive information about millions of its employees and customers. Sensitive information included email addresses, passwords, and Social Security numbers.
As a result of the attack, Chegg was ordered by the FTC to shore up its security against data breaches and to delete unnecessary data.
The FTC took this breach very seriously for several reasons. Following four security breaches in 2017, Chegg failed to fix problems with its data security that caused the 2017 attacks. These unaddressed vulnerabilities played a key role in the most recent attack.
As a result, the FTC order requires that Chegg strengthen its data security, initiate multi-factor authentication on secure accounts, limit the nature of data the company can collect, and add a function for users to access and delete their data.
The main takeaway is simple: Chegg took major data security shortcuts after their 2017 breaches, and it came back to bite them. As a result, millions of students’ sensitive information was exploited. The FTC values personal data protection above all else and continues to move aggressively to force Chegg to reform its practices moving forward.
Second, Chegg was not utilizing the countless security benefits of multi-factor authentication (MFA). Given the publicity and messaging around the importance of MFA, it shows poor organization management that MFA was not being utilized. To keep your accounts secure within your organization, use multi-factor authentication 100% of the time. Why? Because when cybercriminals hit MFA, they almost always fail.
Third, Chegg was not storing information securely. They were storing data in poorly protected cloud services and failing to perform regular updates and security patches.
After a company is breached, it can seem obvious all of the things they did wrong in hindsight. The truth is many companies are too busy running their businesses to worry about cybersecurity. We get it. While time is a scarce resource for many companies, it does not mean you can ignore your cybersecurity. Outsourcing IT security is often the best solution for proper management and prevention. If you are interested in talking with a member of the PK Tech team, schedule a 15-minute discovery call with us.