Chegg experienced at least 3 data breaches. In 2020 hackers stole 700 employee records due to Chegg security breach. In 2019 Thinkful experienced a security breach a few weeks after it had been acquired by Chegg. In 2018 Chegg security breach led to leak of 40 million customer records.
Chegg data breach of 2020
On April 29, 2020 Chegg data breach was confirmed. Hackers stole Chegg records of 700 current and former employee records. The data includes employees’ names and Social Security numbers. The security breach is related to 50% of employees, as Chegg had more than 1,400 full-time employees at the start of 2020.
On April 28, 2020 Chegg started sending notifications to its employees. Chegg notified law enforcement agencies of the employee records breach and engages a computer forensic company.
“On April 10, 2020, we learned that, on or about April 9, 2020, an outside hacker may have illegally obtained employee information for approximately 700 current and former U.S. Chegg employees.”Chegg’s Notice of Data Breach
The security breach took place on or about April 9, 2020, according to Chegg’s notice of data breach. Chegg offered its employees free credit monitoring and identity theft protection services provided by Experian.
Thinkful security breach of 2019
Thinkful confirmed data breach days a few weeks since acquisition by Chegg for $80 million. In his notification email to end users Erin Rosenblatt, Thinkful’s vice-president of operations, said that they “recently discovered that an unauthorized party may have gained access to certain Thinkful company credentials”. Thinkful changed the credentials after this security breach.
Chegg data breach of 2018 — 40 million customer records leaked
On April 29, 2018 hackers made off with 40 million customer records, forcing the company to reset user passwords. The data included user names, email addresses, shipping addresses, and hashed Chegg passwords.
Several US universities have reported malicious use of these leaked email addresses and passwords which were contained in the Chegg breach. For example, some Tulane students and alumni have reached out to the IT service desk affected by this Chegg security breach. The university recommended changing updating Tulane account passwords to a completely new password to avoid possible account compromise due to password reuse.
Following the 40 million users data leak, Chegg plunged more than 12 percent after disclosing a data breach that could affect customers’ user information. According to Reuters, it was the worst day of trading since February 2016 for Chegg’s stock. However, Chegg dit not expect the security incident to have a material impact on financial results going forward that year.
In its filing with the Securities and Exchange Commission as of September 25, 2018, Chegg confirmed resetting of user passwords. Chegg also claimed that no social security numbers or financial information such as users’ credit card numbers or bank account information were obtained by third parties following this security breach.
“We operate in a very competitive and rapidly changing environment. New risks emerge from time to time.”8K financial disclosure BY CHEGG, INC.
to the Securities and Exchange Commission, September 25, 2018
15,107 demand were filed on behalf of consumers who allege they were affected by 2018 Chegg data breach. This class action is led by a small Baltimore law firm Z Law. Chegg is represented by Orrick Herrington & Sutcliffe. According to Cory Zajdel, Z Law’s founder, Chegg’s consumer contract shifts the burden of filing fees onto the company if a customer demands less than $75,000 in damages.
“Chegg will pay all such fees unless the arbitrator finds that either the substance of your claim or the relief sought in your demand for arbitration was frivolous or was brought for an improper purpose.”
Chegg’s consumer contract
Zajdel’s firm hoped Chegg would decide to pay the requisite fees and begin arbitrating its clients’ cases. In Lyles V. Chegg, INC. the “Plaintiff claims that he has received spam calls mentioning his personally identifiable information since the breach”.
On April 27, 2020 a federal judge ruled that a lawsuit against education technology company Chegg must proceed to arbitration. U.S. District Judge Richard D. Bennett granted Chegg’s motion to compel arbitration and dismiss claims by plaintiff Jabari Lyles, finding there is no “triable issue of fact” regarding whether Lyles and Chegg formed an arbitration agreement.