Cyber Incident Victim: Chegg

On April 29, 2020, Chegg confirmed its third data breach since 2018, involving unauthorized access to sensitive employee records. Hackers exfiltrated personal information belonging to 700 current and former employees, including names and Social Security numbers. The breach represented a significant exposure given Chegg's workforce of over 1,400 full-time employees at the start of 2020. The company engaged an unnamed external forensic firm to investigate the incident and notified law enforcement authorities. Chegg did not publicly disclose the attack vector or timeline of unauthorized access, nor did it specify whether customer data was compromised in this particular incident. The breach occurred amid ongoing legal challenges stemming from previous security failures, including a federal court decision just one day prior that granted Chegg's motion to force arbitration in a lawsuit related to its 2018 breach.

This incident continued a pattern of security vulnerabilities affecting Chegg and its subsidiaries. In 2018, attackers had compromised 40 million customer records, forcing widespread password resets across user accounts. Nearly a year later in 2019, Chegg disclosed another breach at Thinkful, an online learning platform it had acquired for $80 million earlier that year. The repeated breaches occurred against a backdrop of corporate expansion, with Chegg's stock price rising 2% on the day of the 2020 breach disclosure despite the security incident. The company's limited public response included no detailed remediation plan beyond the forensic investigation and law enforcement notification, nor did officials provide comment when contacted by media outlets. The breach exclusively impacted employee records rather than customer data, distinguishing it from the 40 million-record customer compromise two years prior.