Chegg Hit with Class Action Over ‘At Least’ Four Undisclosed Data Breaches from 2017-2020

New to ClassAction.org? Read our Newswire Disclaimer

Chegg faces a proposed class action roughly a month after the Federal Trade Commission (FTC) accused the educational products seller of “numerous cybersecurity lapses” that allegedly caused four data breaches between 2017 and 2020. 

According to the 22-page suit, the FTC’s October 31 complaint was apparently the first public notice of the data breaches. The agency alleged the breaches stemmed from “poor data security,” including a lack of multi-factor authentication and encryption of users’ and employees’ data, on the part of Chegg, who rents textbooks, guides high school and college students in search of scholarships and offers online tutoring. 

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here. 

“Indeed, Chegg did not have a written security policy until January 2021,” the lawsuit says. “Failure to implement these basic data security practices violates standard practice and is wholly unreasonable.” 

The first Chegg data breach occurred in September 2017, when “multiple” employees fell for a phishing attack that allowed a hacker to access employees’ direct deposit information, the lawsuit begins. 

Roughly seven months later, in April 2018, a former Chegg contractor used login details shared with employees and contractors to access one of the defendant’s third-party cloud databases, causing the exposure of “millions of customers’ personal information,” the filing continues. Per the FTC, Chegg allowed employees and contractors to access Amazon-hosted storage with a “single access key” that granted administrative privileges over “all information.” 

The April 2018 Chegg data breach exposed the personal information of approximately 40 million people, the lawsuit claims. 

“The exposed personal information included names, email addresses, passwords, and for certain users, sensitive scholarship information such as dates of birth, parents’ income range, sexual orientation, and disabilities. Upon information and belief, this breach exposed both consumer and employee data.” 

Later that year, in September, a “threat intelligence vendor” told Chegg that a file containing some of the exfiltrated information was made available in an online forum, the case relays. As part of its own investigation, Chegg reviewed the file and found that it held, among other details, roughly 25 million customers’ passwords from the April 2018 breach, the suit states. Notably, the passwords were found in plain text, meaning that the hackers had “cracked the hash for those passwords,” the filing says. Even after requiring around 40 million platform users to change their passwords, Chegg continued to store consumer information in plain text, the lawsuit alleges. 

The third breach, in April 2019, also stemmed from a phishing attack, whereby hackers gained access to a Chegg executive’s inbox containing the personal information of users and employees, the complaint goes on. 

Most recently, a fourth incident in April 2020 exposed roughly 700 current and former employees’ W-2 information, including birth dates and Social Security numbers, the filing shares. 

“From September 2017 through April 2020, Chegg did not make reasonable modifications to its data security, including an egregious failure to implement any phishing attack training for its employees,” the suit scathes.  

The FTC alleged Chegg’s “failure to provide reasonable security” for users’ and employees’ personal information has caused or is likely to cause substantial injury in the form of identity theft, fraud, monetary loss, stigma, embarrassment, emotional distress and time lost remedying or attempting to prevent damage from the data breaches. 

According to the proposed class action, the information Chegg collects from customers includes names, email and mailing addresses, passwords, demographic details, schools, genders, zip codes, photographs, work and academic histories, and more. In offering scholarship services, Chegg also collects information on customers’ religious denomination, heritage, sexual orientation, military affiliation, disabilities and citizenship, the filing says. 

The lawsuit looks to cover all individuals whose data was impacted or otherwise compromised by one of, or any combination of, the four Chegg data breaches. 

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.