Chegg suffers its third data breach in as many years

Connected learning platform Chegg, which is valued at over $1.1 billion, recently announced that personal information of 700 current and former employees were compromised after hackers gained access to its IT systems.

The learning platform, which provides online classes, assignments and textbook rental and tutoring services to millions of students, is no stranger to data security incidents. In April 2018, the company suffered a major data breach that resulted in the loss of 40 million customer records that included names, email addresses, shipping addresses, usernames and passwords.

In response to the breach, Chegg initiated a password reset of millions of user accounts, assuring cuatomers that the fallout of the breach had been contained. However, the company suffered another data security incident in September last year when Thinkful, a company it acquired, said that hackers could have gained access to company credentials, forcing it to change all credentials.

The latest security incident was recently reported by Tech Crunch which stated that hackers stole names, social security numbers, and other personal records belonging to 700 current and former employees at Chegg. No further information about the breach is available at present and Chegg is yet to announce the same on its website.

Organisations must increase cyber security spending to prevent frequent breaches

Paul Norris, a senior system engineer at Tripwire, told Teiss that Chegg certainly took the right steps in terms of notifying authorities and initiating forensics but there is a trend across both the public and the private sector that might explain why the education tech company has been hit three times in three years.

"The exposure of such a large database of data is worrying, especially since it contains sensitive information such as Social Security numbers. Three incidents in the span of three years confirm that cybercriminals are becoming more and more motivated by the potential monetary gain of selling personally identifiable information - which has become a kind of currency on the dark market.

"Typically, security spending has been associated with maintaining regulatory compliance. If that budget can be minimised and compliance can be achieved, the business can continue operating. Organisations and governmental bodies need to consider going above and beyond the security measures recommended as standard practice, or they will find themselves unprepared," he added.

Niamh Muldoon, Senior Director of Trust and Security at OneLogin, said that hackers know that many organisations are not taking a strong enough stance when it comes to access security. Once they have a set of valid credentials, it is easy to compromise corporate applications, particularly SaaS Apps including HR Systems, File Storage Services and CRMs.

"Multi factor authentication (MFA) is currently the best method by which organisations can protect themselves from such attacks, proven to prevent 99.9% of account takeovers. Whether it be a soft token, hard token, certificate or SMS, companies should look at implementing MFA across the board," Muldoon added.

Image Source: Chegg

ALSO READ: Is it time for organisations’ cyber security credentials to take centre stage online?

MORE ABOUT: