The FBI’s Boston office issued a warning last week telling users not to make meetings on the platform public or share links widely after it received reports of internet pranksters hijacking virtual meetings to do silly things, post racist comments or sexually harass attendees – a phenomenon that has come to be known as “Zoombombing.”

The New York Attorney General’s office also made an inquiry into its cybersecurity practices, sending Zoom a letter asking what, if any, new security measures the company has put in place to handle increased traffic on its network and to detect hackers, according to The New York Times.

Zoom takes lead over Microsoft Teams as Americans stay home

A Zoom spokeswoman said on Monday that the company was “working around-the-clock to ensure that universities, schools, and other businesses around the world can stay connected and operational during this pandemic” and that it takes user privacy, security, and trust “extremely seriously”.

“We appreciate the outreach we have received on these issues from various elected officials and look forward to engaging with them,” she added in the statement in response to the New York Attorney General’s inquiry.

According to a blog post published by Yuan on Zoom’s website on April 1, the surge in users staying home due to the pandemic has caused “challenges we did not anticipate when the platform was conceived”.

Founded in 2011 by Chinese-born American Yuan, San Jose-based Zoom is known for the user friendliness of its platform, with users being able to join video conferences with just a link or randomly generated meeting ID number, without the need for passwords by default.

The convenience comes at a price, according to Wootliff. “There’s always a trade-off between convenience and security,” he said. “The more convenient the software is designed to use, the harder it is to keep it secure.”

Zoom was primarily built for enterprise customers – large institutions with full IT support, Yuan said in the post. “However, we did not design the product with the foresight that, in a matter of weeks, every person in the world would suddenly be working, studying, and socialising from home. We now have a much broader set of users who are utilising our product in a myriad of unexpected ways,” he wrote.

Elon Musk’s SpaceX bans Zoom over privacy concerns

The company is “committed to dedicating the resources needed to better identify, address, and fix issues proactively” over the next 90 days, according to the CEO, who wrote that measures implemented so far include clarifying protective features that could help prevent “Zoombombing”, removing a “Login with Facebook” feature that was sending information about users’ devices to the social networking giant, tightening the default privacy settings for education users as well as enabling passwords and virtual waiting rooms by default for more users.

Zoom’s links to China, a sensitive issue amid a hot US-China tech war, have also aroused suspicion. Last Thursday, it admitted in a statement that certain meetings held by non-Chinese users may have been “allowed to connect to systems in China, where they should not have been able to connect”.

The company noted in its filing to the US Securities and Exchange Commission in May 2019 that its “high concentration of research and development personnel in China” was a factor that could “expose us to market scrutiny regarding the integrity of our solution or data security features”.

That scrutiny did materialise: in a Tweet liked more than 2,000 times, Jacob Helberg, a senior adviser at Stanford University's Cyber Policy Center and adjunct fellow at the Centre for Strategic and International Studies, referred to Zoom’s engineering team in China and said “conducting sensitive conversations on a platform vulnerable to data collection by the CCP [Chinese Communist Party] should give pause to those concerned with protecting company or government secrets”.

Still, security experts the Post spoke to agreed the platform was just one example of how broader security issues could arise from the drastic surge in teleworking.

“It’s not usual to have 90 per cent of employees working from home,” Wootliff said, adding that “the issues are broader than what has been found with Zoom”.

“At the enterprise level, companies need to understand the baselines for remote working, so that they can spot irregular behaviour,” he said. “They also need to train employees to use their devices properly, separate work devices from non-work ones, and devise a plan to escalate and respond to possible breaches when most of your employees are outside the office.”

How working from home can strain social and company bonds

The risk of personal data being used for unauthorised purposes is common across cloud services, according to Kev Hau, a cybersecurity expert with Check Point Software Technologies.

“When using cloud services, we need to understand the shared responsibility model, where the cloud provider and cloud user both are accountable for different aspects of security and must work together to ensure full coverage,” he said.

“The cloud provider is responsible for securing their cloud infrastructure and its components. As for the user, we have the responsibility to protect [ourselves],” Hau added.

“Although Zoom is very popular, some of the issues are faced by many companies,” said Michael Gazeley, managing director and co-founder of Network Box Corporation, adding that “IT departments have been forced to wake up” due to the work-from-home trend.

“Say you’ve got a large company, and [staff] used to working behind layers of cybersecurity. But now you are using your laptop for both work and private life, and there’s no protection,” he said.

Gazeley suggested that companies that have not fully switched to remote working should set up proxies, virtual private networks and intrusion detection and prevention systems in advance if they can.

“It’s like changing the tire of a car – my recommendation would be to change it while the car is still stationary,” he said. “Once companies don’t have the luxury to have staff working from their offices, you will need to change the tire while it’s still moving.”