The Federal Trade Commission has accused U.S. education technology giant Chegg of “careless” cybersecurity practices that led to the exposure of sensitive information about tens of millions of its customers and employees.
In a legal complaint filed on Monday, the FTC accuses Chegg — which provides digital and physical textbook rentals and online tutoring — of numerous cybersecurity lapses that resulted in four separate data breaches between 2017 and 2020.
In 2018, for example, hackers made off with 40 million Chegg customer records after a former contractor accessed a database that contained customer names, email addresses, passwords, and other sensitive information including religion, sexual orientation, disabilities, and parents’ income ranges. According to the FTC’s complaint, Chegg allowed employees and third-party contractors to access Amazon-hosted storage with a single access key that provided full administrative privileges over all information.
Chegg also experienced three more data breaches involving phishing attacks that successfully targeted Chegg employees.