American education technology company Chegg confirmed a data breach in which malicious actors stole some of its employee records.
As reported by TechCrunch, digital attackers succeeded in stealing 700 records associated with current and former Chegg employees. Those records contained individuals' personally identifiable information (PII) including their names and Social Security Numbers. The company said that it had begun working with law enforcement as well as an unnamed third-party digital forensics firm to investigate what had happened. Paul Norris, senior system engineer at Tripwire, agreed with the educational platform's decision to do so:
Chegg certainly took the right steps in terms of notifying authorities and initiating forensics. However, there is a trend across both the public and the private sector that might explain why the education tech company has been hit three times in three years. Typically, security spend has been associated with maintaining regulatory compliance. If that budget can be minimized and compliance can be achieved, the business can continue operating. As we have seen, there have been many high profile data breaches that have had serious financial implications to the affected organizations who met their regulatory compliance objectives.
Chegg suffered its first security incident back in September 2018 when it confirmed in a filing with the Securities and Exchange Commission that malicious attackers had accessed a database containing the information of 40 million customers. Per Infosecurity Magazine, news of the second incident came a year later when Thinkful, an online education platform acquired by Chegg, announced that malicious actors might have exposed users accounts. A day before news of this latest breach emerge, a federal judge ruled that a lawsuit pertaining to the 2018 security incident must proceed to arbitration, according to Reuters. Norris feels that the most recent security incident involving Chegg highlights the need for organizations to strengthen their efforts to protect their employees and customers against identity theft:
The exposure of such a large database of data is worrying, especially since it contains sensitive information such as Social Security numbers. Three incidents in the span of three years confirm that cybercriminals are becoming more and more motivated by the potential monetary gain of selling personal identifiable information - which has become a kind of currency on the dark market. But it also shows that organisations and governmental bodies need to consider going above and beyond the security measures recommended as standard practice, or they will find themselves unprepared.
