A popular educational technology company leaked thousands of GW community members’ usernames, passwords and addresses last year.
Officials said Chegg – a company that offers students homework help and textbook rentals – admitted falling victim to a data breach in April 2018 that revealed the usernames and passwords of 5,000 members of the GW community and 40 million users globally. While the incident did not involve a breach of any University systems, officials said Division of Information Technology employees are helping affected students to make sure their information is secure.
Jackie Li, a security engineer in the IT division, notified affected users on Sept. 24 about the breach, according to an email sent to users. Officials recommended in the email that users change their password used to access GW’s technology services and contact the IT division with any questions or concerns.
Chief Information Officer Loretta Early said officials learned of the breach the same day that they reached out to those impacted. She said IT Support Center leaders have dedicated several team members to respond to the leak by assisting students and alumni with account inquiries like password resets and by providing “guidance” on how to secure one’s accounts following a password leak.
“Due to the nature and potential impact of cybersecurity incidents, collaboration and attention is elevated to the highest levels to provide the best and most expedient response to our customers,” Early said in an email. “The recent incident was no different.”
She added that if a Chegg user has not heard from the company directly about the breach, they should visit the service’s website and change their password immediately. Users should also create unique passwords for different sites as general practice and change any identical or similar passwords to their Chegg account to protect their information, Early said.
“If users happen to reuse or slightly modify passwords across multiple services, publicly exposed credentials could potentially be exploited,” she said.
Chegg learned that an “unauthorized party” gained access to a database hosting user information for the company’s main website and affiliated brands last April, according to a September 2018 financial disclosure filed with the Securities and Exchange Commission.
“We operate in a very competitive and rapidly changing environment,” Chegg said in the filing. “New risks emerge from time to time.”
The potentially leaked information did not include social security numbers or financial information to the best of the company’s knowledge but did include users’ passwords, according to the filing.
“Chegg takes the security of its users’ information seriously and will be initiating a password reset process for all user accounts,” Chegg said in the filing.
Marc Boxser, the vice president of communications and policy at Chegg, said the company notified users about the breach last year and recommended users change their passwords.
Boxser said the company is limited in what it can disclose for legal reasons and deferred to a frequently asked questions page about the breach on the company’s website when reached for comment.
“We care deeply about students’ security – the incident in 2018 was well-publicized and as soon as possible when the situation was discovered, we reset every user password and attempted to contact every user,” he said in an email.
Cybersecurity experts said data breaches are unfortunately common, and users can monitor their information and not reuse passwords to protect their online accounts.
Adam Aviv, an associate professor of computer science, said he recommends people periodically check to see if their data has been exposed by using Have I Been Pwned, a website that allows users to see if their email address has been compromised in data breaches.
“You shouldn’t just react to these things, there are things you can do to be proactive the next time this happens,” Aviv said.
He added that in addition to regularly changing passwords, people should use password managers to randomly generate passwords that are difficult to replicate and never reuse a password.
“For one, you don’t have to come up with your own difficult and long passwords,” Aviv said. “It’s a good way to do digital hygiene.”
Peter Kellogg, the director of infrastructure services at the College of William and Mary, said students should use complex passwords that are not duplicated across accounts and change them periodically to mitigate the risk that third parties will involuntarily share students’ personal information.
Kellogg said data breaches most often occur so a third party can profit off of the information through identity theft or financial fraud. Students affected by the breach should monitor their credit rating and financial accounts for “suspicious behavior,” change all passwords and consider investing in a credit monitoring service, he said.
He added that universities can prevent their students from being affected by widespread data leaks by employing two-factor authentication and raising awareness about threats to data security. Officials introduced two-step authentication to GW Google Apps two years ago and hosted data privacy lunch and learn sessions this year to improve the University’s data security framework.
“We talk about a layered ‘defense in depth’ approach to information security,” Kellogg said in an email. “This means implementing technical, procedural and organizational controls at many different levels to prevent having a single point of failure.”