Chegg Disappoints Again: A Third Data Breach in Three Years
On April 28, US education technology company Chegg admitted that it had suffered a data breach. In a letter sent to affected individuals, Dana Jewell, Chegg's Vice President, announced that on April 9, a hacker compromised the company's systems and made off with the records of around 700 current and former employees.
Chegg learned about the breach a day later, and it immediately informed law enforcement. Dana Jewell urged potential victims to be more vigilant, told them that they can take advantage of credit monitoring services at the company's expense, and promised that Chegg will try to improve its safeguards and avoid similar incidents in the future. It's far from the biggest or most impactful breach you'll ever see, but when you examine it in more detail, you'll notice that the problem is more significant than it appears at first.
Chegg is unwilling to openly talk about the breach
Every day, the data of millions of people gets leaked on the internet, and in light of this, just 700 employees seem like a flash in the pan. Put the number into context, however, and you'll see that the breach is fairly significant. According to Chegg's latest annual report, at the end of 2019, the company had just over 1,400 employees, which suddenly makes the leak rather more serious. As mentioned already, some of the people affected by last month's attack don't work for Chegg any more, but the fact remains that the company has failed to protect their data from unauthorized access.
The question of how this happened and why remains unanswered. Chegg hasn't disclosed the breach in a regulatory filing, and there is no press release. TechCrunch's requests for further comments were also declined.
The wide public wouldn't be aware of the attack if it wasn't for regulations, which dictate that companies who have been hit by hackers must share their data breach notifications with the Attorneys General in some states. Indeed, the number of affected individuals is relatively small, but, being a public company, Chegg has shareholders who would like to know exactly what's going on at any given time. They might not be very happy with the details around this particular breach.
The hackers stole Social Security Numbers
You may have noticed that Chegg is offering free credit monitoring services to potential victims, and those of you who have read enough data breach notifications know that this is a bad sign. It usually means that the data is sensitive enough to facilitate identity theft, and sure enough, according to the notice, the cybercriminals made off with the affected employees' names and Social Security Numbers.
Chegg is no stranger to data breaches
In this particular attack, Chegg's users weren't affected, but this wasn't the case during previous breaches. The plural form of "breach" isn't a typo. Chegg suffered its first attack in April 2018 but only learned about it five months later in September. The number of affected users stood at 40 million, and the leaked data included emails, physical addresses, and hashed passwords.
In 2019, Thinkful, Chegg's newest subsidiary at the time, also announced a data breach. The number of affected people remained unknown, and the developer education platform didn't say what sort of data ended up in the wrong hands. What we do know is that password resets were enforced after both attacks.
We've often said on these pages that no one is immune to cyberattacks, but the fact that Chegg has suffered three data breaches in as many years clearly shows that the company has serious cybersecurity issues. Let's hope someone addresses them before the next successful attack.