The Federal Trade Commission has accused U.S. education technology giant Chegg of “careless” cybersecurity practices that led to the exposure of sensitive information about tens of millions of its customers and employees.

Officials also say Chegg didn’t have a written security policy until January 2021 and failed to provide sufficient security training despite three phishing attacks.

The FTC said Chegg had agreed to adopt a comprehensive data security program to settle the charges, which will involve providing security training to employees and encrypting user data. Chegg must also allow customers access to the personal information it has collected about them — including any precise location data or persistent identifiers like IP addresses — and allow users to delete their records.

“Chegg took shortcuts with millions of students’ sensitive information,” said Samuel Levine, director of the FTC’s Bureau of Consumer Protection. “Today’s order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end. The Commission will continue to act aggressively to protect personal data.”

Chegg did not respond to a request for comment.

The FTC’s action against Chegg amounts to a wider warning to the U.S. edtech industry. Back in May, the agency issued a policy statement saying that it planned to crack down on edtech companies that collected excessive personal details from schoolchildren or failed to secure students’ personal information.

“Going forward, the Commission will closely scrutinize the providers of these services and will not hesitate to act where providers fail to meet their legal obligations with respect to children’s privacy,” the FTC said.

FTC schools edtech giant Chegg over ‘careless’ cybersecurity practices by Carly Page originally published on TechCrunch