At a glance.
- FTC takes action against education tech firm Chegg.
- Arrest warrant issued for Vastaamo extortionist.
FTC takes action against education tech firm Chegg. Arrest warrant issued for Vastaamo extortionist.
The US Federal Trade Commission (FTC) has announced it’s taking action against California education technology provider Chegg Inc., which in the past five years has experienced four security breaches exposing sensitive customer and employee data. The FTC says the breaches were the result of Chegg’s poor data security practices and the company’s failure to remediate these issues. In one attack, an employee was tricked into giving a hacker access to employees’ direct deposit information, and in another, a former Chegg contractor accessed one of Chegg’s third-party cloud databases containing the personal data of approximately 40 million customers. The compromised data included student email addresses, passwords, and for certain users, sensitive scholarship data like parents’ income range, sexual orientation, and health conditions, as well as employee medical and financial data.
Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, stated, “Chegg took shortcuts with millions of students’ sensitive information. Today’s order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end.” In addition, Chegg, which sells educational products and services like online tutoring and scholarship programs to high school and college students, will be required to offer users multifactor authentication to better secure their accounts. In May the FTC issued a policy statement warning education tech companies that collecting personal information from children under 13, as well as improperly protecting that data, was in violation of the Children’s Online Privacy Protection Act, and the action against Chegg underlines the Commission's commitment to enforcing this legislation. “The action against Chegg is part of the FTC’s aggressive efforts to ensure education technology companies protect and secure personal data they collect and do not collect more information than is necessary,” the announcement reads.
Joe Garber, CMO at Axiad, sees an instance of identity-based attack, a style of cyberattack many organizations are unprepared to handle:
“This news is yet another example of an organization not being as prepared as necessary for an identity-based cyberattack, and then paying the price. In this case, the warning signs were certainly visible, as they had four breaches in the last three years, which means the latest was preventable. The U.S. Federal Trade Commission (FTC) requiring specific changes to the organization’s cybersecurity posture makes logical sense in this context – particularly the actions required to better secure user accounts. However, the mandate to simply implement MFA probably doesn’t go far enough given the organization’s history of being targeted with phishing attacks. It is important to know that not all MFA is the same, and bad actors often can subvert the authentication process – often by stealing users’ credentials via fake login pages – with lesser capabilities in place. MFA fortified with phishing-resistant methods such as FIDO2 and Certificate-Based Authentication (CBA), as well as leveraging strong hardware tokens and conforming to standards like user behavior validation, provide the most robust level of security against phishing attacks. Such an approach would seemingly be appropriate in this situation.”
Arrest warrant issued for Vastaamo extortionist.
Finnish psychotherapy center Vastaamo suffered a series of data breaches starting as early as 2018 that resulted in the exposure of sensitive patient data, which then ended up in the hands of an extortionist who attempted to blackmail not just the Centre, but Vastaamo’s individual clients with the threat of exposing their most intimate secrets. The breaches were the result of Vastaamo’s improper handling of patient data and therapy session notes, which were stored in an inadequately protected online database, and Naked Security offers details on the ramifications of the incident. Last month, the Helsinki Times reported that the former Vastaamo CEO Ville Tapio will face charges not just for mishandling the data, but also for neglecting to report the leak in an attempt to hide the incident from the authorities. As well, the Finnish National Bureau of Investigation on Friday announced that an arrest warrant had been issued for the alleged extortionist. Though the name of the suspect has not been released, authorities say that he is a Finnish citizen who lives abroad and has therefore been remanded in absentia. If arrested, he will be surrendered to Finnish officials.