The Federal Trade Commission (FTC) announced that they had cracked down on California-based technology company Chegg, saying the company’s careless approach to cybersecurity had exposed the personal data of “dozens of millions” of users.
In a new legal complaint, regulators allege that Chegg committed many data security flaws dating back to 2017. The problem with this is that they gave their employees root login credentials which granted full access to certain databases. They used Amazon Web Services’ online storage system. This left the company open to the possibility of many people looking at their user account data and this compromised their privacy and data integrity.
Former Chegg contractors were able to steal the names, email addresses, and passwords of 40 million users. In certain cases, sensitive details about their religion, sexual orientation, disabilities, or parental income were also taken into account. Some of the data were later found for sale online.
Chegg’s popular homework help app is regularly used by millions of high school and university students. The FTC was alerted to the fact that Chegg had agreed to adopt a comprehensive data security program.
We tried contacting Chegg multiple times, but they never got back to us.
The FTC’s enforcement action against a major industry player is a warning to the tech industry.
As the pandemic first surged in 2020, edtech companies experienced an increase in customers and revenue. To enable remote learning, many schools and universities were quick to adopt digital tools such as exam proctoring software, course management platforms, and video meeting services.
Tuition costs and textbook prices have risen over the years, which has led students to flock to online options for tutoring services and study aids. Among them is Chegg, with a market cap of nearly $3 billion on Monday morning. Chegg reported annual revenue of $776 million for 2020, a 20% increase from a year earlier.
Some online learning systems became so useful for students that many students and their schools continued to use the tools even after returning to in-person instruction.
The ongoing development of digital learning tools during the pandemic has revealed flaws that previously went unnoticed.
Many online education services record, store, and analyze a vast amount of data about every student–details like keystrokes, swipes, and clicks. Privacy experts have warned that this increased surveillance could benefit the business more than the child.
Illuminate Education, a leading provider of student tracking software, recently disclosed a cyberattack. The attack exposed the personal information of more than a million current and former students in dozens of districts across the United States. Illuminate serves many large school districts, including New York City’s public school system, which is the nation’s largest.
The FTC, in May, issued a policy statement saying they planned to crack down on educational technology companies that collected too much personal data from students and lacked adequate safety measures.
Last year, the FTC fined a company for violating children’s privacy on services like YouTube and TikTok. Overseas data protection authorities provide similar oversight to ensure compliance.
The Federal Trade Commission filed a complaint against Chegg, which marks the first time they’ve pursued a case related to the tech industry’s data mining. In this situation, the FTC accused Chegg of unfair and deceptive business practices, rather than the children’s privacy law.
Chegg was started as a textbook rental service for college students in 2005, with an eye towards supporting the lifelong journey to education. Today it is an online learning platform that rents e-textbooks.
Though it’s best known as a homework help platform, Chegg also offers students a variety of helpful tools including instant answers to millions of questions on subjects like physics and calculus. Students can also ask Chegg’s online experts to answer questions they’ve been assigned for homework or study.
Teachers have expressed concern that the service has enabled widespread cheating. Students have even taken to calling copying responses from the platform “chegging,” which doesn’t bode well for any college prospects.
Chegg’s privacy policy promised users that it would take “commercially reasonable security measures” to protect their personal information. For example, the scholarship search service collected information such as students’ dates of birth, as well as details about their religion, sexual orientation, and disabilities. The FTC says all of this is in violation of Chegg’s privacy policy.
The company failed to use reasonable security measures to protect user data, even after a series of security flaws that allowed intruders to gain access to sensitive information from students and employees.
As part of a consent agreement proposed by the FTC, Chegg must provide security training to employees and encrypt user data. They must also give consumers access to the personal information they have collected about them, including precise location data and persistent identifiers like IP addresses. Users will be able to delete their records.
Companies running online learning services can also submit to regulation. The FTC has confirmed that it’s currently running a series of nonpublic investigations into educational technology companies.
“A violation like this should not happen,” Samuel Levine, director of the FTC’s Office of Consumer Protection, said in a Monday press release. “The Commission will continue to act aggressively to protect personal data.”