Shares of Chegg Inc. (CHGG 0.43%) plummeted on Sept. 26 after the digital learning provider disclosed a security breach in a filing with the U.S. Securities and Exchange Commission. The company stated that on Sept. 19, it learned that a database that hosts user data for chegg.com, as well as other Chegg brands such as the academic citation service EasyBib, had been hacked nearly five-and-a-half months earlier, on April 29. The unauthorized access exposed the account information of more than 40 million active and inactive registered users. The following is the perceived extent of the breach, according to Chegg's statement:
The Company understands that the information that may have been obtained could include a Chegg user's name, email address, shipping address, Chegg username, and hashed Chegg password. The investigation into the incident, which is supported by third-party forensics, is ongoing. To date, the Company understands that no social security numbers or financial information such as users' credit card numbers or bank account information were obtained.
The hacking of the database introduces at least three specific states of uncertainty regarding Chegg shares. The most immediate is uncertainty of outcome. It's quite revealing that the company wasn't able to unequivocally state that sensitive information -- social security numbers, credit card numbers, or banking information -- hasn't been stolen. Management is clearly relying on its third-party cyber-forensics vendor to assess the extent of the damage. The phrase "To date, the Company understands" (emphases mine) suggests that management believes, though not with 100% certainty, that no critical information was obtained, based on what it understands from a third-party analysis. This leaves open the possibility of further subsequent analysis that might suggest the opposite.
The second state of uncertainty is how this event may impact Chegg's growth; for example, what reputational hazard the company may suffer as a result of the hacking activity. As I've previously described, Chegg is currently enjoying a phase of ballooning subscriber numbers. In the company's most recently reported quarter, subscribers within its Chegg services segment increased 45% year over year to 1.7 million users. It's difficult to try to prognosticate how an expanding user base that is primarily composed of millennials -- high school and college students -- will react to this news. It's possible that a portion of Chegg's users will lose trust in the organization, and yet it's also possible that this digitally native cohort will take the event more in stride than an older generation might.
In its filing, the company stated that it doesn't anticipate a material impact from the breach on its full-year results ending Dec. 31, 2018. But any potential longer-term negative impact on Chegg's double-digit revenue and subscriber growth rates will probably take months to surface and assess.
The third uncertainty regards the potential for a recurrence. It may seem implausible that a technology-based concern could be infiltrated and find itself unaware of this state for so many months. But a review of Chegg's risk disclosures in its 2017 annual report shows that it's not very different from other growing cloud-based tech companies. Management discloses that Chegg necessarily relies on a host of third parties to conduct business, from cloud service providers to enterprise resource planning software companies. To prevent an attack or gain real-time intelligence of a breach isn't easy in either theory or practice. In fact, the disclosures regarding the unending threat that a large-scale internet company like Chegg faces seem quite realistic, as this excerpt shows:
We have implemented physical, technical and administrative safeguards to protect our systems. To date, unauthorized users have not had a material effect on our systems; however, there can be no assurance that attacks will not be successful in the future. In addition, our information systems must be constantly updated, patched, and upgraded to protect against known vulnerabilities and optimize performance.
So what is the net result of all this uncertainty on Chegg stock? Shares dropped 12% in the trading session following disclosure of the breach. Even so, the "CHGG" symbol still trades at roughly 46 times forward one-year earnings estimates, reflecting how much investors have prized its growth prospects. For at least a quarter or two, these shares may be vulnerable to an earnings multiple compression. Time must pass to resolve each of the three uncertainties discussed above. As I noted in early May, Chegg has raised a veritable war chest of cash over the last several quarters. One can guess that it's going to put some of this cash to work in refortifying its systems against future intrusions.