The Federal Trade Commission (FTC) finalized a 2022 order with Chegg. Chegg, an education technology provider, has been cited for careless data security practices. The sensitive information exposed included Social Security numbers, email addresses and passwords. 

In a complaint, the FTC said that Chegg failed to protect the personal information it collected from users and employees. For example, the company stored users’ personal data on its cloud storage databases in plain text and, until at least 2018, employed outdated and weak encryption to protect user passwords, per the FTC.

According to the Commission, as a result of its poor data security Chegg experienced four data breaches that exposed the personal information of about 40 million users and employees. This information include users’ email addresses and sensitive scholarship data such as their dates of birth, sexual orientation and disabilities, as well as financial and medical information about Chegg employees.

The FTC’s order requires Chegg to implement a comprehensive information security program, limit the data the company can collect and retain, offer users multifactor authentication to secure their accounts and allow users to request access to and deletion of their data.

After receiving only one substantive comment, the Commission voted 4-0 to finalize the order with Chegg and send a letter to the commenter.