Edtech company Chegg confirmed earlier today that it had suffered its third breach in as many years. The education tech giant, which last year acquired Thinkful for $80 million, said hackers stole 700 current and former employee records, including their names and Social Security numbers.
Information Security Buzz (aka ISBuzz News) is an independent resource that provides the experts comments, analysis and opinion on the latest Information Security news and topics
It is almost inconceivable that this is the third time Chegg has been hacked since 2018. The company has an obligation to protect the personal information in its possession but the volume of breaches demonstrates that security is not being prioritized. Understand that hackers won\’t stop attacking – once they smell blood, they won\’t stop!
Yes, it is true that the chances of being breached are higher than ever before but the most important thing for enterprises to do is to protect customers and employee personal data. With modern solutions such as tokenization, you can render PII (including names, addresses, and IDs) useless to hackers and prevent breaches like this from occurring in the first place.
An effective security posture is equally a cultural and procedural endeavor. In fact, adopting an organizational culture of security-mindedness and adapting internal procedures accordingly helps to reinforce the power of advanced methods such as tokenization that they might employ from a technical perspective. Ensuring that operational processes reflect proactive security measures, such as protecting sensitive data at first touch and only de-protecting that data when absolutely necessary, leads to much greater success against nefarious threat actors.
Having users reset passwords reactively is one thing—making sure that the corporate culture puts a premium on proactive efforts to identify and protect sensitive data everywhere in their workflows using data-centric techniques like tokenization is quite another.
Far too often the disclosure of a significant breach is in the news. Unfortunately, Chegg has made headlines again for a data breach. Organizations must take a proactive approach to protecting data. This should include mapping organizational capabilities and security controls to measure their preparedness to detect, prevent and respond to threats.
This incident is similar to Chegg’s previous incidents as an unauthorized party was able to gain access to sensitive information. This time around hackers stole employee records including Social Security numbers, which can be detrimental to the victims as it can never be changed and may lead to further fraud.
Companies must make cybersecurity a priority and have the proper policies in place to identify and fill security gaps. As witnessed last year, organizations are beginning to see massive GDPR non-compliance fines. As CCPA and other privacy mandates continue to go into effect, organizations must have full visibility of their IT assets and network so they can detect potential threats and monitor suspicious activity, protecting data from the next big breach.
The education sector is particularly vulnerable during social distancing since they need to adjust operations for over 25 million students across 4,235 higher education institutions in the United States that have been impacted by COVID-19. Security controls across the edtech supply chain need to adapt to an expanded attack surface as institutions will extend e-learning scope options and be targeted. This also applies to their edtech suppliers, like Chegg, that will face similar threats. As edtech companies expand their business through acquisition, like the consolidation occurring in the healthcare industry, they must be more vigilant on security posture assessment, on Zero Trust policies adherence and on data protection obligations.