The U.S. Federal Trade Commission (FTC) has sued education technology company Chegg after exposing the sensitive information of tens of millions of customers and employees in four data breaches suffered since 2017. The agency's proposed order would require Chegg to shore up data security, implement multifactor authentication (MFA) to help users secure their accounts, limit collected and stored customer data, and allow customers to access and delete their data. "Chegg took shortcuts with millions of students' sensitive information," said Samuel Levine, Director of the FTC's Bureau of Consumer Protection, on Monday.
One of the notable actions the FTC is requiring of Chegg is the implementation of Multifactor Authentication. Chegg must provide multifactor authentication or another authentication method to its customers and employees to help protect their accounts.
Joe Garber, Axiad, weighed in on the news:
“This news is yet another example of an organization not being as prepared as necessary for an identity-based cyberattack, and then paying the price. In this case, the warning signs were certainly visible, as they had four breaches in the last three years, which means the latest was preventable. The U.S. Federal Trade Commission (FTC) requiring specific changes to the organization’s cybersecurity posture makes logical sense in this context – particularly the actions required to better secure user accounts. However, the mandate to simply implement MFA probably doesn’t go far enough given the organization’s history of being targeted with phishing attacks. It is important to know that not all MFA is the same, and bad actors often can subvert the authentication process – often by stealing users’ credentials via fake login pages – with lesser capabilities in place. MFA fortified with phishing-resistant methods such as FIDO2 and Certificate-Based Authentication (CBA), as well as leveraging strong hardware tokens and conforming to standards like user behavior validation, provide the most robust level of security against phishing attacks. Such an approach would seemingly be appropriate in this situation.”