Agency Requires Comprehensive Security Program
As part of a settlement of allegations that Zoom “engaged in a series of deceptive and unfair practices that undermined the security of its users,” the U.S. Federal Trade Commission is requiring video conferencing provider to implement and maintain a comprehensive security program within the next 60 days.
The 17-page agreement announced Monday comes after allegations that Zoom did not maintain a high level of cybersecurity and misled its customers concerning the level of encryption provided for meetings, saying it was AES 256 when it was actually AES 128.
“During the pandemic, practically everyone – families, schools, social groups, businesses – is using videoconferencing to communicate, making the security of these platforms more critical than ever,” Andrew Smith, director of the FTC’s Bureau of Consumer Protection, says. “Zoom’s security practices didn’t line up with its promises, and this action will help to make sure that Zoom meetings and data about Zoom users are protected.”
Zoom did not provide end-to-end 256-bit encryption for Zoom meetings as it had advertised, the FTC says. And the company misled users by claiming to immediately encrypt recorded meetings prior to storing them in its cloud storage facility.
“We are proud of the advancements we have made to our platform, and we have already addressed the issues identified by the FTC,” a Zoom spokesperson tells Information Security Media Group. “Today’s resolution with the FTC is in keeping with our commitment to innovating and enhancing our product as we deliver a secure video communications experience.” (See: Zoom to Offer End-to-End Encryption for All Users)
Security Actions Required
The FTC settlement describes the steps Zoom must take, including:
- Assess and document on an annual basis any potential internal and external security risks and develop ways to safeguard against such risks;
- Implement a vulnerability management program;
- Deploy safeguards such as multifactor authentication to protect against unauthorized access to its network, institute data deletion controls and take steps to prevent the use of known compromised user credentials;
- Require Zoom personnel to review any software updates for security flaws and ensure the updates will not hamper third-party security features.
Although no financial penalties were issued with the settlement, the FTC says any future violations could cost Zoom up to $43,280 for each.
Surge in Popularity
When the COVID-19 pandemic began, much of the workforce shifted to remote offices and school shifted to remoted learning. This led to a surge in the use of cloud-based video conferencing and collaboration platforms, including Zoom.
During Zoom’s second-quarter earnings call on Sept. 1, executives revealed that the number of corporate clients with more than 10 employees had grown by more than 400% in the past year to more than 370,000, according to MarketWatch.
Zoom executives also claimed about 300 million meetings take place on its platform daily.
This explosion in popularity also resulted in the company’s security and privacy shortcomings being exposed. This included so-called “Zoom bombing” hacking incidents as well as the company inadvertently sharing user’s email addresses, photos and names with Facebook by default (see: Zoom Still Addressing Security, Privacy Concerns).
Zoom’s New York Settlement
In May, Zoom reached an agreement with the New York state attorney general’s office that had many of the same requirements as the FTC settlement (see: Zoom’s New York Settlement Spells Out Security Moves).
As part of the New York settlement, Zoom agreed to implement “reasonable encryption and security protocols,” for customer and corporate data. This includes the use of end-to-end encryption for all data as well as deploying industry-standard AES-256 encryption.