FTC Reaches Settlement with Zoom Over Allegations of Cybersecurity Issues and Misleading Security Practices

The U.S. Federal Trade Commission has arrived at a settlement deal with teleconferencing platform provider Zoom to take care of allegations that it misinformed its consumers regarding the level of encryption and did not carry out proper cybersecurity protections for its consumers.

Throughout the pandemic, Zoom platform usage exploded as businesses and consumers used the platform to retain communication with family and friends. Remote employees utilized the platform to connect and collaborate with the company while doing work at home. The communication platform turned out to be very well-known in healthcare for offering telehealth services. It is additionally popular in education for students’ use.

In the second-quarter earnings call, Zoom noted a 400% growth of its company clients with over 10 employees and about 300 million meetings hosted per day. The enormous growth in popularity pulled in the security researchers’ attention and they found several security vulnerabilities in Zoom.

One major problem involved encryption. Zoom mentioned on its site that the platform provided end-to-end encryption but this wasn’t so. Meetings were encrypted, however, Zoom could view customer information. The company additionally mentioned AES 256 encryption was utilized, when it only used was AES 128, and recorded meetings were quickly encrypted just before storage.

Other cybersecurity problems involved a Zoom software update that went around a browser security function and insufficient security protections that granted uninvited persons to enter meetings – known as Zoombombing. The company was likewise found to be disclosing email addresses, pictures, and user’s names with Facebook, although unknowingly.

FTC investigated Zoom and found out that Zoom got involved in a string of misleading and unfair tactics that weakened the user security. The settlement with Zoom requires it to employ and keep an all-inclusive security program in 60 days.

The 17-page deal specifies the actions that Zoom should take to make sure the safety of its platform. It includes performing yearly assessments on prospective internal and external security threats and creating and using safety measures to minimize those risks to a low and satisfactory level.

More safety measures should be enforced to stop unauthorized access to its system such as multi-factor authentication. Action should be taken to avert the compromise of user credentials and have data deletion controls. Zoom should evaluate all software updates to determine prospective security issues before rollout and make sure that any new function or security controls don’t get in the way of third party security functions. The firm needs to put in place a vulnerability management plan.

Zoom was cautioned for misrepresenting the security functions of its system to end-users, the categories of information viewed by third parties, and the maintenance of data privacy and security.

Zoom has to go through a review by a third-party security company to make certain it complies with all specifications of the settlement and is effectively remediating problems. The agreement is going to be for 5 years, and FTC will be supervising Zoom’s compliance during that time.

Zoom averted a financial penalty, however, if it is found to have broken the conditions of the settlement or federal laws, it will be penalized up to as much as $43,280 for every violation.