Ed Tech Cybersecurity: Suppose they gave a data breach and nobody came

It has now been four weeks since Chegg announced a data breach compromising personal information of up to 40 million users. Cue the crickets because the only coverage in ed tech press thus far is from EdWeek, which focuses on the K-12 market. That’s a shame, because if ed tech companies want a case study to help understand the implications of FBI warnings or the European Union’s new Global Data Privacy Regulations (GDPR), this example from Chegg should be illustrative. The same goes for institutions.

As a recap, Chegg discovered on September 19th a data breach dating back to April that “an unauthorized party” accessed a data base with access to “a Chegg user’s name, email address, shipping address, Chegg username, and hashed Chegg password” but no financial information or social security numbers. The company has not disclosed, or is unsure of, how many of the 40 million users had their personal information stolen. On September 25th Chegg notified the SEC about the breach, focusing on guidance for company financials. The company then started notifying users and “certain regulatory authorities” on September 26th.