Data Security: It Pays to Ignore
With last week’s FTC order and yesterday’s earnings call, it is time to put the four and half year description of Chegg’s data breaches to bed. When it comes to data security, it appears that it pays to ignore – from a financial perspective, it was the right decision to deny, delay, and (mostly) ignore the data breach issues. [full-page audio link]
The quick recap is that in September 2018, Chegg announced a data breach that occured in April of that year, potentially exposing personal data for up to 40 million registered users. By late 2019 much of the data was showing up on the dark web. In 2019, the Federal Trade Commission jumped into the fray, noting that Chegg had had at least four separate data breaches, all due to lax data security processes, and last week the FTC issued an order based on its review. Below is a recap of the coverage at e-Literate and PhilOnEdTech.
Sep 2018: https://eliterate.us/chegg-data-breach-affecting-40-million-users/ – Description of the initial disclosure of a known data breach
Sep 2018: https://marketbrief.edweek.org/marketplace-k-12/tutoring-company-chegg-acknowledges-data-breach-puts-40-million-users-notice/ Based on interview with me about the initial report
Oct 2018: https://eliterate.us/ed-tech-cybersecurity-suppose-they-gave-a-data-breach-and-nobody-came/ – Me whinging about the lack of coverage in most of the education press on the data breach while also describing the poor security practices, including late notification to affected parties
Nov 2019: https://philonedtech.com/update-on-chegg-data-breach-decrypted-credentials-now-leading-to-multiple-campus-security-attacks/ – Description from several affected universities and their disclosure of student information showing up on the web
Nov 2022: https://philonedtech.com/now-chegg-might-have-to-reckon-for-data-breach/ – Description of the FTC getting involved
Last week the FTC issued a press release and order concerning Chegg.
Yesterday, Chegg held their earnings call releasing Q4 and full-year results for 2022, and there was nothing about the FTC order. Nothing in the prepared remarks for the call, and nothing in the Q&A session with financial analysts. The data breach and the FTC order represent an end to this lightly-covered story, unfortunately.
And yet I’m sure we’ll hear plenty of EdTech conference sessions on data privacy and data security this year, despite this lack of coverage of a real-world example. Hell, “privacy and cybersecurity awareness” was issue #2 for the Educause Top 10 IT issues for this year, but no acknowledgement of the Chegg case study. Thus ends the complaints on this subject, if I can help myself.