Categories & Search

Another Hack in the Education Sector: 40 Million Records Exposed

A recent data breach at Chegg Inc., the online educational technology company, serves as the most recent reminder that the education sector remains a target for hackers.

Last month, Chegg reported, on a Form 8-K disclosure filed with the Securities Exchange Commission, that it had experienced a security breach in which an “unauthorized party gained access to a Company database that hosts user data for”

According to the filing, Chegg believed that the information compromised included a “Chegg user’s name, email address, shipping address … and hashed Chegg password,” but not Social Security Numbers or other financial information, such as user credit card numbers or account information.

Chegg also disclosed that it expected to notify “approximately 40 million active and inactive registered users and certain regulatory authorities.”

On the news, shares in Chegg plunged more than 12 percent.  It was the worst decline in Chegg shares in recent years.  Since then, the company’s stock has continued to head lower.  Before the breach announcement, shares of Chegg traded at $31.59.  Yesterday’s closing price was $25.85 per share.

The company said it did not expect the incident to have a material impact on its financial results going forward this year.

As we have previously reported, the education sector is no stranger to data security incidents. Earlier this year, one of the New York State Education Department’s vendors, Questar Assessment, suffered a data breach resulting in the unauthorized disclosure of personal student information from five different New York schools.

In March, Florida Virtual Schools, the largest state-run virtual public school in the country, published a notice to students and parents regarding a breach that affected more than 300,000 current and former students, as well as parents and teachers, resulting in the disclosure of teachers’ Social Security Numbers, dates of birth, and addresses, among other personal information. And more recently, in April, the Irvington, New Jersey School District experienced a data breach resulting in the exposure of names and partial Social Security Numbers for more than 1,000 employees.

A 2018 data breach survey by Verizon reports that, in the education sector, 81 percent of the data security incidents were perpetrated by external actors, while 19 percent were insiders.

We will continue to follow this sector.