California-based educational services provider Chegg has agreed to take steps to improve security against data breaches following a Federal Trade Commission (FTC) administrative complaint against the company alleging that Chegg’s “lax data security practices” were responsible for exposing sensitive information on millions of the company’s customers and employees.

According to an FTC complaint against the company made public on Oct. 31, Chegg “allegedly failed to fix problems with its data security despite experiencing four security breaches since 2017.”

The company’s failure to improve its data security practices exposed “sensitive information about millions of its customers and employees, including Social Security numbers, email addresses and passwords,” the FTC said.

Following its investigation, the Federal agency proposed an order that will require Chegg to improve data security, limit the data that the company can collect and retain, offer customers multifactor authentication to secure accounts, and allow users to access and delete their data held by the company.

Chegg said in a Nov. 1 filing with the Securities and Exchange Commission that it has agreed to enter into a consent order with the FTC to resolve the complaint. The order has not yet been released publicly by the FTC, but is expected to be published soon. After a 30-day public comment period, the FTC will decide whether to finalize the proposed consent order.

The company markets a variety of educational products and services to high school and college students, including textbooks and online learning aids such as tutoring, writing assistance, and math help.

The FTC said the action against Chegg is part of its “aggressive efforts to ensure education technology companies protect and secure personal data they collect and do not collect more information than is necessary.”

“Chegg took shortcuts with millions of students’ sensitive information,” commented Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, when the agency announced the action.

“Today’s order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end,” he said. “The Commission will continue to act aggressively to protect personal data.”

According to the FTC, Chegg has undergone four data breaches since 2017.

In one instance, multiple Chegg employees were targeted by phishing attacks that allowed an attacker to gain access to employees’ direct deposit information. In another, a former Chegg contractor used its log-in information to access one of the company’s third-party cloud databases which held information on 40 million of Chegg’s customers. Two other data breaches driven by phishing attacks exposed sensitive information about employees’ medical and financial information.

The FTC alleges that Chegg:

  • Failed to use “commercially reasonable security measures to protect data, and at times “did not require employees to use multifactor authentication measures to log into its third-party databases, allowed employees and contractors to use a single login to access those databases, and failed to monitor its network and databases for threats”;
  • Stored information insecurely and on cloud storage databases in plain text, while using weak encryption to protect user passwords; and
  • Failed to develop in a timely way adequate security policies and training.