The Chegg educational technology company has been ordered by the Federal Trade Commission to get its cybersecurity in order after four separate data breaches exposed the sensitive data of about 40 million customers and employees.
The FTC accuses the company of failing to adhere to basic security measures like two-factor authentication, while also insecurely storing personal data in the cloud, failing to implement a security policy, and skipping employee training altogether.
As a result of the FTC complaint, Chegg will now be required to limit data collection and delete old stored data, provide consumers with the option to delete data or opt out of collection, implement multifactor authentication, and develop a comprehensive information security program.
“Chegg took shortcuts with millions of students' sensitive information," Samuel Levine, director of the FTC's Bureau of Consumer Protection, said in a statement about the action. "Today's order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end. The Commission will continue to act aggressively to protect personal data."