Insights & Analyses

The price of a data breach: Shares of Chegg chopped 12%+ after customer data exposure – One World Identity

September 27, 2018

After disclosing to the U.S. Securities and Exchange Committee a data breach that affected some 40 million customers, shares of online textbook rental company Chegg plummeted. But while it notified regulators, it has yet to alert its own customers.

Shares of Chegg dropped 12 percent on Wednesday after the breach was reported to the SEC. The company failed to recover on Thursday, as its stock once again fell another 1.2 percent, finishing the day at $28.08.

In the filing, Chegg revealed that it will reset the passwords of 40 million users. The breach was reportedly discovered on Sept. 19, but dates back to late April.

Data that may have been compromised in the attack is said to include names, email addresses, usernames, shipping addresses, and passwords. The passwords were said to be protected by a hashing algorithm. Financial information and other sensitive data, such as Social Security numbers, were not included in the breach.

The losses on the market since the breach was disclosed amount to hundreds of millions of dollars worth of market capitalization. As of close of markets Thursday, Chegg’s market cap has fallen to $3.2 billion, and shares have continued to fall in after-hours trading.

Critics have taken Chegg to task for its approach in disclosing the data breach. The 8-K filing with the SEC was first discovered by education technology consultant Phil Hill, who told ZDNet he doesn’t feel the company has done an acceptable job of notifying the public.

“Seems focus is on guidance for stock price, not transparency,” he said.

OWI Insight: Chegg’s breach is not unlike countless other instances of data theft that have happened in recent years. But as the public becomes more aware of these incidents, their expectations for disclosure and proactive measures also grow. Companies who operate in the data economy and handle sensitive personally identifiable information should have an action plan in place to disclose to customers and respond to cybersecurity incidents as quickly as is reasonably and safely possible.