Education technology provider Chegg, a company that’s built its fame and fortune on high school and college student services like textbook rentals and online tutoring, got a Halloween surprise it probably wasn’t expecting.
The Federal Trade Commission (FTC) has taken action against the company for its “lax data security practices.” Not guarding its customers' and employees’ sensitive information like email addresses, passwords, and Social Security numbers as best as it could, led to four security breaches amounting to 40 million user files stolen since 2017.
Basic information like email addresses and Social Security numbers is rather pedestrian in today’s world of data collection, but Chegg apparently went way beyond that. For example, as part of its scholarship search service, the agency claims Chegg collected information about users’ religious preferences.
“Chegg took shortcuts with millions of students’ sensitive information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Today’s order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end. The Commission will continue to act aggressively to protect personal data.”
The trickle-down effect
More than 90% of the reviews Chegg has received from ConsumerAffairs customers in the last 12 months have been 1-star reviews. In reviewing those, Chegg’s guardianship of data came into question again.
“I used this service once and then could not cancel it. I'm charged $19.95 a month and will have to cancel my credit card to stop the charges,” wrote Rene of Pilot Point Texas. “I have spent at least four hours on text and phone with them and they say they can't cancel because they can't find my account. They cannot put me in contact with their billing department."
Sean of Fort Washington Md. had mixed feelings about Chegg. He gave a thumbs-up to his perception that the company’s services gave good answer support at times, but he railed against them for what he called an “incompetent safeguard system."
“[That system] will almost 100% guarantee suspend your account under false allegations of being a 'shared account.' Complaints are disregarded and while you wait days for your account to be re-enabled, you won't get credited back for the days stolen. Final verdict: Terrible company. Avoid at all costs,” he said.
What the FTC says Chegg must do to correct the situation
To get itself back into good graces with the FTC, Chegg is going to have to walk the straight and narrow for a while. The FTC’s proposed order requires the company to bolster its data security, limit the amount and type of data the company can collect and hold onto, offer users multifactor authentication to secure their accounts, and allow its users to access and delete their personal data.
Chegg is going to have to walk the straight and narrow, not just for a while, but for 20 years if it doesn’t want the FTC to show up on its doorstep again. The order will terminate then, and only then if Chegg doesn’t violate any provisions of the order.