The Federal Trade Commission (FTC) ordered education technology provider Chegg to fix problems and weaknesses with its cybersecurity program that led to the exposure of personal and financial data of 40 million customers in four data breaches since 2017.

In agreeing to the order, Chegg promised to “bolster its data security, limit the data the company can collect and retain, offer users multifactor authentication to secure their accounts, and allow users to access and delete their data,” the FTC said Monday in a press release.

Chegg neither admitted nor denied any of the allegations in the FTC complaint, except as specifically stated in the decision, according to the FTC’s order.

While the decision and order did not contain a fine against Chegg, it ordered the company to make several notifications to consumers and implement a number of cybersecurity improvements. 

Three of the breaches occurred when phishing attacks successfully targeted Chegg employees, the FTC said, while a fourth attack occurred when a former contractor was able to access Chegg’s third-party cloud databases using a login shared with Chegg employees and outside contractors.

Chegg, a publicly traded company based in Santa Clara, Calif., provides educational services to high school and college students, including online tutoring and a college scholarship search service.

The FTC complaint said the four data breaches exposed personal and financial data of 40 million customers, including “names, email addresses, passwords, and for certain users, sensitive scholarship data such as dates of birth, parents’ income range, sexual orientation, and disabilities.” Several attacks also exposed medical and financial information about Chegg employees, the FTC said.

The complaint alleges Chegg violated provisions of the FTC Act when it “failed to provide reasonable security to prevent unauthorized access to users’ personal information,” and when the company made statements on its website that it took “commercially reasonable security measures” to protect the data it collected. The FTC ruled the company did not take such measures and so those privacy statements were misleading.

According to the complaint, Chegg failed to implement basic security measures when it did not require multifactor authentication measures for employees and contractors to log into the company’s third-party databases; when it allowed employees and contractors to log into those databases with a single login; and when it failed to monitor its network and databases for threats. In addition, the company stored personal data in plain text, and until 2018, used outdated and weak encryption for user passwords. Even after several data breaches occurred, Chegg failed to develop adequate security policies and training until January 2021, the FTC said.

The company must notify all customers and employees whose personal data was compromised and offer a link on its website where customers can view and request to delete their personal data. Within six months of the order, Chegg must offer multifactor authentication for all of its customers.

In reports to the FTC, Chegg must explain what personal information it collects and why and when it will delete information. The company must implement a security program that encrypts all personal data and provide annual security training to employees.

Chegg must file a compliance report about the status of its cybersecurity program improvements to the FTC at least once a year for the next 12 years. The order itself will last for 20 years.

Chegg response: In an emailed statement, a Chegg spokesperson said the company “worked cooperatively with the Federal Trade Commission on these matters to find a mutually agreeable outcome and will comply fully with the mandates outlined in the commission’s administrative order.”

“Chegg is wholly committed to safeguarding users’ data and has worked with reputable privacy organizations to improve our security measures and will continue our efforts,” the spokesperson said.