This week, zoom just lost an $85 million class-action lawsuit for cybersecurity mistakes, demonstrating that even the most important and trusted corporations could be tripped up by poor protection. But, more importantly, Zoom’s experience demonstrates the importance of cybersecurity to a company’s bottom line. Therefore, Zoom’s security lesson on end-to-end encryption demonstrates the costs of playing catch up in cybersecurity. Apparently, ransomware isn’t the only way lax security can cost a business eight figures in damage.
Emil Sayegh, president, and CEO of Ntirety explained the following:
“This large Zoom settlement should be a wake-up call to not only all software and service providers, but also for the enterprises that use them. The only answer is a comprehensive security posture.”
The errors in zoom’s cybersecurity
No one could have predicted how soon teleconferencing program would become the preferred method of conducting business in a pandemic-stricken economy.
To put things in perspective, about 600,000 people downloaded the app on March 15, 2020, the day stay-at-home orders began to spread around the globe.
As a result, zoom reported a 326 percent rise in sales in 2020, and CEO Eric Yuan said in March that the business is still expecting a 40% increase in sales in 2021.
The fast-expanding user base of the video-conferencing platform also brought attention to security, with many people wondering how safe the program was. The platform was accused of misrepresenting its security by late March. The company’s claims of having end-to-end encryption turned out to be inaccurate, allowing Zoom to see conference data.
Zoombombings have become a problem as well. Pranksters inserted pornographic photos and other intrusions into conference meetings. School sessions became so common on the platform that the FBI threatened teleconference hackers with prison time by April 2020. The Zoombombings also got the attention of New York Attorney General Letitia James, who investigated the platform’s security.
In the midst of it all, the company had to disable an iOS app sharing analytics with Facebook without informing consumers. A class-action lawsuit was filed in California as a result of Zoom’s privacy violations.
Zoom’s Efforts to Strengthen Security
The corporation established a plan to address users’ security concerns in April 2020, with some steps completed by July of that year. Zoom also implemented changes in July 2020 to check for repeated wrong passcodes to keep Zoombombers at bay. By last October, the platform had begun to implement end-to-end encryption in earnest, as well as a strategy for prioritizing security for its users in the future.
According to a company spokesperson statement for Threatpost:
“The privacy and security of our users are top priorities for Zoom, and we take seriously the trust our users place in us. We are proud of the advancements we have made to our platform and look forward to continuing to innovate with privacy and security at the forefront.”
However, according to Richard Blech, CEO of XSOC, the organization did not already have these security measures in place is unacceptable.
Richard Blech stated that:
“Zoom had a responsibility to ensure their platform was performing with the highest level of security,” Blech said. “But instead, they were learning from mistakes through the platform’s persistent vulnerabilities, threats, and hackings. Their lack of preparation, and frankly negligence, is unfortunately what caused this privacy lawsuit, and now, they will have to pay the consequences.”
Zoom’s settlement: a step in the right direction?
According to Malwarebytes’ number-crunching, a court-ordered on July 31 that Zoom will have to set up an $85 million fund to pay cash claims to U.S. users, which will range from $15 for unsubscribed users to $25 for those with subscriptions. According to the decision, the business will also have to pay $21 million in legal fees.
After a judge found that it was protected from information created by other users under the Communications Decency Act, Zoom was not held accountable for the Zoombombings in the lawsuit. According to Reuters, the judge also concluded that the plaintiffs failed to show that Zoom misused their data without their consent.
The fine alone won’t hurt a firm like Zoom, which is now swimming in cash and subscriber growth ($85 million is just 4% of Zoom’s anticipated $2.65 billion sales for 2020). Still, it will send a powerful signal, according to Alexa Slinger, an identity management expert at OneLogin.
“It’s also less than we’ve seen other companies, like Equifax, Home Depot, and Uber, the payout for data breaches and cybersecurity attacks,” Slinger said. But, as Slinger pointed out, it stands as yet another lesson to other businesses that inadequate security may be costly in more ways than one.
“This story isn’t new, and despite the increasing level of breaches we hear about day in and day out, companies still under-invest in their cybersecurity framework,” she explained.
The $85 million settlement, according to Kevin Bocek, Venafi’s vice president of security strategy and threat intelligence, will send a powerful message to management teams worldwide.
“A penalty of this caliber is painful for every business, even if it’s a fast-growing cloud business,” Bocek said. “The penalty gets boards, auditors, and executives to pay attention. This is the start of change, not the destination.”
This, according to Bocek, shows that cybersecurity must be handled with the same urgency as revenue growth.
“This awareness is starting to make engineering teams account for protecting the business, not just CISO, and security teams,” he noted.