Chegg Lands in Hot Water; FTC Files Lawsuit
40 Million Victimized by Hacking Campaigns
After a total of four data breaches that date back to 2017, Chegg has finally found itself in the hot seat with the U.S. Federal Trade Commission (FTC). The government watchdog company has filed a lawsuit against education technology provider, Chegg Inc.
According to the FTC Bureau of Consumer Protection, Chegg has caused irreparable damages to its customers with its sloppy management. The lawsuit charged that the embattled company’s carelessness had resulted in confidential information of its customers and employees, being auctioned on Dark Web marketplaces.
With the reported breaches carried out by criminal hackers, the scale of damage is catastrophic, ranging in tens of millions of data being compromise in the devastating hacks.
The Commission has charged that the corporation must improve its security protocol to prevent future hack attacks from threat actors. Additionally, abandoned accounts should be wiped free of private data, to prevent them from landing in the hands of dark web hackers. Also, the FTC prohibits the company from preemptively collecting superfluous data from prospective clients.
According to documented files, Chegg, since September 2017 has been infiltrated in four attacks by hackers. And over that period, the company continues to conceal the breaches that negatively impacted its clients and employees, who have since become victims of several phishing scams.
Data Breach affects 40 Million Users
The FTC’s complaint revealed a list of cyber security breaches on Chegg’s platform.
In 2017, the first attack on Chegg affected its Amazon S3 buckets where the incident involves login credentials being utilized by one of its former contractors. By April 2018, law enforcement tracked 25 million personal data stolen from Chegg on some popular dark web markets.
Meanwhile, in another hack, a threat actor infiltrated the executive email inbox of the company’s staff. In this cyber breach, personal data such as financial and medical information were stolen and used later in a phishing attack against Chegg executives.
Since the first cyber security breach of Chegg, numerous employees have fallen victim to a phishing scam. It was also revealed that the hackers gained access to Chegg’s payroll system and stole IRS related data, birth information, addresses, and social security numbers of several hundred employees.
The FTC complaint documented Chegg’s continuous failure to update its security measures, also the absence of MFA authentication, and the single login criteria that led to the compromised databases. In addition, the company security team had failed to recognize all suspicious behavior that led to the four data breaches.
Additionally, Chegg’s charges include inappropriately retaining clients’ private data, and its blatant neglect of protecting its private database, as well as its subcontractors from dangerous hackers.