The Federal Trade Commission has issued a Consent Order against a company that was accused of “lax” data security practices that resulted in four data breaches during the past five years, exposing the information for millions of individuals. The order does not include a monetary penalty, but requires the company to bolster its information security practices and limits the data that it can collect and retain.
A copy of the complaint in the matter against Chegg can be accessed by clicking here. A copy of the Consent Order can be accessed by clicking here.
The company was found to have been the victim of three phishing attack that allowed a hacker to gain access to the direct deposit information for the company’s employees, as well as medical and financial information for employees. As well, a former contractor for the company used login information that was shared with employees and outside contractors to access a third-party cloud database that contained the personal information of 40 million customers. The exposed information include personal information as well as financial details of the customers.
The complaint accused the company of failing to use “commercially reasonable security measures” such as multifactor authentication and sharing single logins to databases while also failing to monitor its network for threats, storing information insecurely via databases that were neither encrypted nor required strong passwords to access, and failing to train employees, even after being victimized by phishing attacks three times.
As a result of the Order, the company is required to implement multifactor authentication for customers and employees, provide customers with access to the data that is collected about them and allow them to request that data be deleted, and create a schedule that sets out what personal information can be collected, document why that information is being collected, and detail when that information will be deleted.