Chegg - a publicly-traded provider of digital textbooks, tutoring and study guides - notified the SEC yesterday that they learned a week ago about a security breach dating back to April 2018. In their 8-K filing:
On September 19, 2018, Chegg learned that on or around April 29, 2018, an unauthorized party gained access to a Company database that hosts user data for chegg.com and certain of the Company’s family of brands such as EasyBib. The Company understands that the information that may have been obtained could include a Chegg user’s name, email address, shipping address, Chegg username, and hashed Chegg password. The investigation into the incident, which is supported by third-party forensics, is ongoing. To date, the Company understands that no social security numbers or financial information such as users’ credit card numbers or bank account information were obtained. The Company expects to start notifying approximately 40 million active and inactive registered users and certain regulatory authorities on September 26, 2018.
Chegg takes the security of its users’ information seriously and will be initiating a password reset process for all user accounts.
Note that the company learned of the data breach a week ago, and the notifications appear to be centered on calming investors (their stock price dropped 12% based on the news). The only way that I discovered this news was through financial market notifications and their 8-K filing:
In connection with the disclosure of the security incident discussed in Item 8.01 below, on September 25, 2018, Chegg, Inc. (the “Company” or “Chegg”) reaffirmed its previous guidance for the third quarter of 2018 as most recently stated in the press release issued on July 30, 2018 and furnished as an exhibit to a Current Report on Form 8-K filed that day with the Securities and Exchange Commission (the “SEC”) (the “July Guidance”). Chegg also announced that it currently believes that the security incident discussed in Item 8.01 below will not have a material impact on its financial results for the full year ending December 31, 2018.
According to their filing, Chegg is notifying current and former users starting today, but as yet there has been no public notification. I do not know why it took the company a full week for notifications to begin, but I suspect it is due to internal investigations to fully understand the nature of the breach - what was compromised and what was not.
For reference, California privacy laws do not stipulate exactly how quickly companies must notify users of a data breach. The law stipulates:
The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subdivision (c) [ed. section on cooperation with law enforcement], or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.>
What is missing thus far is useful information for the public. What happened, how did this happen, what steps Chegg has taken to mitigate the risk, whether there remains a security vulnerability. I suspect it was wise to only disclose this breach to public equity markets based on guidance for financial losses, and not to the general public.
Chegg needs to more fully disclose the details of the incident to the general public, and do this very soon.
Update 1: I have modified post title to more accurately reflect that it is unknown how many user accounts were accessed. Here is a ZDNet article with additional descriptions.
Update 2: I contacted Chegg for additional information. Their spokesperson said the company "a lot of obligations of how and when disclosures of non-public information can be made", and that a public post is now available with further descriptions.
We recently discovered that some user account data from Chegg.com, or of one of its family of student services, may have been acquired by an unauthorized party. Our understanding is that the data that may have been obtained could include names, email addresses, shipping addresses, Chegg usernames, and hashed Chegg passwords. Our current understanding is that no financial information such as credit card numbers, bank account information, or social security numbers was obtained. As a result, we are prompting users to change their Chegg.com or Chegg affiliate passwords upon login.
For more information, please review the FAQs below.
- What happened?
- We recently discovered that some user account data from Chegg.com, or of one of its family of student services, may have been acquired by an unauthorized party.
- While our investigation into this matter continues, we are letting users know what we know now because we value our relationship with them.
- An investigation, supported by a third-party forensics firm, was commenced.
- What information was affected?
- Our understanding is that the names, email addresses, shipping addresses, Chegg usernames, and hashed Chegg passwords of some of our users may have been obtained as a result of this incident.
- Our current understanding also is that no financial information such as credit card numbers, bank account information, or social security numbers was obtained.
There are six additional questions addressed in the FAQ section. This post is a good step forward in transparency, although I believe it was a mistake not to have this available at the same time as notifications to the SEC and financial markets. We will update as we get new information.