Data breach at ed tech

Data breach at Chegg Inc. is a publicly traded company, which went public in 2013. The company, based in the US, rents online textbooks, and offers tutorials. Thus, the company does hold and manage sensitive and confidential client information. As this is the case, and the data is very marketable, the company would naturally be a target.

Issue!

The company was targeted and experienced a data breach. Chegg learned of the breach on September 19, 2018. This is the good news. The company could not have known about this breach at all, and the clients could have been none the wiser. The company detecting this was good for the parties involved. The bad news is the breach occurred on or about April 9, 2018. The attackers could have been in the company's systems for months, unfettered and acquiring the information they wanted. The attackers had the potential to harvest all the data they wanted. Chegg began to notify the affected clients on September 26, 2018. The notice stated the clients' data and other information had been accessed.

This compromise, beginning in late April 2018 by an unauthorized party or group accessed a company database with their user's data, including the names, emails, shipping addresses, and hashed passwords. Granted the passwords being hashed is a good thing. The curiosity and potential issue is the hashing algorithm was not disclosed. This could have been very weak, and subsequently vulnerable. This also affected the data of its subsidiary Easybib.

Remediation

This was a rather serious breach. Due to the client's information being accessed by the unauthorized party, Chegg needed to reset the passwords. This was a rather substantial project, as there were 40M users overall who needed to do this.

Resources

Cimpanu, c. (2018, September 26). Chegg to reset passwords for 40 million users after April 2018 hack. Retrieved from https://www.zdnet.com/article/chegg-to-reset-passwords-for-40-users-after-april-2018-hack/

Pymnts. (2018, September 27). Chegg hack hits 40M customers. Retrieved from https://www.pymnts.com/news/securityandrisk/2018/chegg-data-breach/

Reed, J.R. (2018, September 26). Ed tech company chegg plunges after disclosing data breach. Retrieved from https://www.cnbc.com/2018/09/26/ed-tech-company-chegg-plunges-after-disclosing-data-breach.html

Reed, J.R. (2018, September 26). Online textbook rental and tutorial company chegg plunges after disclosing data breach. Retrieved from https://sg.finance.yahoo.com/news/online-textbook-rental-tutorial-company-191100361.html

Securities and Exchange Commissioner (SEC). (2018, September 25). Form 8-K. Retrieved from https://www.sec.gov/Archives/edgar/data/1364954/000136495418000187/cyrus.htm

Surran, C. (2018, September 26). Chegg -12% after disclosing data breach; reaffirms Q3 guidance. Retrieved from https://seekingalpha.com/news/3393207-chegg-minus-12-percent-disclosing-data-breach-reaffirms-q3-guidance

Whittaker, Z. (2018, September 26). Chegg resets 40 million user passwords after data breach. Retrieved from https://techcrunch.com/2018/09/26/chegg-resets-40-million-user-passwords-after-data-breach/  

About the Author - Charles Parker, II has been working in the info sec field for over a decade, performing pen tests, vulnerability assessments, consulting with small- to medium-sized businesses to mitigate and remediate their issues, and preparing IT and info sec policies and procedures. Mr. Parker’s background includes work in the banking, medical, automotive, and staffing industries.