Homework help shouldn’t come at a cost – especially the cost of a student’s security. The Federal Trade Commission (FTC) agrees with that. After discovering that Chegg, an educational tech provider, risked the security of its employees and users, the FTC ordered the company to “shore up its security against data breaches and delete unnecessary data.”
Read on to learn about the changes Google Play Store made that to its data privacy policy that make apps less safe.
FTC Action Against Chegg
Chegg has offered various educational tools for high school and college students over the years. This includes a homework help app and a scholarship search service. While this sounds great initially, if it’s not protecting students’ personal information, then the help really isn’t … helpful.
There is much personal information collected by Chegg other than the normal name, screen name, address, and phone number. It also collects religious denomination, heritage, birthdate, sexual orientation, and disability information. Employee data that is collected includes birthdate, Social Security number, and financial and medical information.
Despite the amount of personal information collected, the FTC is taking action against Chegg “for its lax data security practices that exposed sensitive information about millions of its customers and employees.”
The FTC would like Chegg to improve its data security and put a limit on the data that is requested and stored. It is also suggesting that two-factor authentication be offered to users and an option to access and delete the data that is stored.
“Chegg took shortcuts with millions of students’ sensitive information,” said the Director of the FTC’s Bureau of Consumer Protection, Samuel Levine. “Today’s order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end. The Commission will continue to act aggressively to protect personal data.”
Chegg Data Breaches
The FTC alleged in its official complaint that four data breaches exposed all of that personal information of its employees and users. The first was in 2017 when a hacker gained access to employees’ direct deposit information after a phishing attack.
The next year, a former Chegg contractor used login information to access a third-party cloud database that held the personal information of about 40 million users. Some of that data was later found for sale online. Two more data breaches followed that involved phishing attacks aimed at Chegg employees.
The FTC believes these data breaches happened because Chegg:
- Failed to implement basic security measures
- Has insecure storage information practices
- Failed to develop adequate security policies and training
Steps Chegg Will Be Required to Take
The FTC outlined a series of steps that Chegg must take:
- Detail and limit data collection.
- Provide data access to users.
- Implement multifactor authentication or another similar method.
- Implement a security program.
All of this falls under the FTC’s efforts to protect personal data accrued from education technology. In May, the Commission warned education technology companies against collecting personal information from children under 13 years old, as it violates the Children’s Online Privacy Protection Act.
The FTC will soon publish information about the consent agreement package in the Federal Register. The public will have 30 days to comment, then the Commission will decide whether to make it final.
Want to learn more about how the FTC protects you? Read up on its investigation of Amazon regarding deception with its Prime accounts.
Image credit: Unsplash. All screenshots by Laura Tucker.
