Zoom Settlement: An $85M Business Case for Security Investment  

Zoom’s security lesson over end-to-end encryption shows the costs of playing cybersecurity catchup.

Ransomware isn’t the only way lax security can cost a business eight figures in damage. Zoom just lost an $85 million class-action lawsuit this week for its cybersecurity missteps, proving that even the most essential and relied-upon brands can be tripped up by inadequate security. More importantly, Zoom’s journey is an object lesson showing that cybersecurity matters to the bottom line.

“This large Zoom settlement should be a wake-up call to not only all software and service providers, but also for the enterprises that use them,” Emil Sayegh, president and CEO of Ntirety explained to Threatpost. “The only answer is a comprehensive security posture.”

Zoom’s Cybersecurity Missteps

No one could have possibly predicted how quickly Zoom would become the go-to way to do business in a pandemic-plagued economy. For context, on March 15, 2020, the day stay-at-home orders started to snowball across the globe, almost 600,000 users downloaded the app. In 2020, the Zoom reported a 326 percent spike in sales, and Zoom CEO Eric Yuan announced last March the company is still anticipating a 40-percent increase in sales in 2021.

The video-conferencing platform’s exploding user base also drew attention to security, with many wondering just how secure the app really was. By late March, Zoom found itself accused of misrepresenting its security. The company’s claims of offering end-to-end encryption turned out not to be exactly true, leaving conference data visible to Zoom itself.

Zoombombings also became an issue. Pranksters inserting pornographic images and other intrusions into conference meetings and even school sessions became so regular on the platform that by April 2020, the FBI was threatening teleconference hackers with jail time. The Zoombombings also drew the attention of New York Attorney General Letitia James who scrutinized the platform’s security.

In the middle of all this, Zoom also had to remove an iOS app that was sharing analytics with Facebook without disclosing the fact to users.

What followed was a class-action lawsuit filed in California for Zoom’s privacy violations.

Zoom’s Moves to Beef Up Security

In April 2020, the company implemented a plan to address users’ security concerns, several steps of which were implemented by that July. Also in July 2020, Zoom made changes to check repeated incorrect passcodes to keep Zoombombers at bay. By last October, the platform rolled out end-to-end encryption in earnest, and outlined a plan to prioritize security for its users moving forward.

“The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us,” according to a company spokesperson statement given to Threatpost. “We are proud of the advancements we have made to our platform and look forward to continuing to innovate with privacy and security at the forefront.”

But the fact that the company didn’t have these security measures already in place is unacceptable, according to Richard Blech, CEO of XSOC.

“Zoom had a responsibility to ensure their platform was performing with the highest level of security,” Blech told Threatpost. “But instead, they were learning from mistakes through the platform’s persistent vulnerabilities, threats and hackings. Their lack of preparation, and frankly negligence, is unfortunately what caused this privacy lawsuit and now, they will have to pay the consequences.”

Zoom’s $85 Million Settlement: A Signal for the Future

On July 31, a court that ruled Zoom would have to set up an $85 million fund to pay cash claims to U.S. users, which will amount to anywhere from $15 for unsubscribed users to $25 for those with subscriptions, according to number-crunching from Malwarebytes. The company will also have to shell out about $21 million in legal fees, according to the ruling.

Zoom wasn’t held liable for the Zoombombings in the suit, after the judge ruled that it was protected from content generated by other users under the Communications Decency Act. The judge also ruled that the plaintiffs didn’t prove Zoom abused their data without consent, Reuters reported.

Alexa Slinger, identity management expert at OneLogin, pointed out that the fine itself isn’t going to be very painful for a company like Zoom , which is currently awash in cash and subscriber growth ($85 million is just 4 percent of Zoom’s reported $2.65 billion revenue for 2020) — but it does send a strong signal.

“It’s also less than we’ve seen other companies, like Equifax, Home Depot and Uber, pay out for data breaches and cyber security attacks,” Slinger told Threatpost. But, Slinger added, it’s yet another reminder for other organizations that poor security can be expensive in more ways than one.

“This story isn’t new, and despite the increasing level of breaches we hear about day in and day out, companies still under-invest in their cybersecurity framework,” she said.

Kevin Bocek, vice president of security strategy and threat intelligence at Venafi, told Threatpost that the $85 million settlement will send a strong message for management teams everywhere.

“A penalty of this caliber is painful for every business, even if it’s a fast-growing cloud business,” Bocek said. “The penalty gets boards, auditors and executives to pay attention. This is the start of change, not the destination.”

Bocek added that this demonstrates once again that cybersecurity needs to be treated with the same urgency as revenue growth.

“This awareness is starting to make engineering teams account for protecting the business, not just CISO and security teams,” he said.

Worried about where the next attack is coming from? We’ve got your back. REGISTER NOW for our upcoming live webinar, How to Think Like a Threat Actor, in partnership with Uptycs. Find out precisely where attackers are targeting you and how to get there first. Join host Becky Bracken and Uptycs researchers Amit Malik and Ashwin Vamshi on Aug. 17 at 11AM EST for this LIVE discussion.


Suggested articles