According to The Washington Post, thousands of Zoom cloud recordings have been exposed on the web because of the way Zoom names its recordings. What appears to have happened is that the recordings have been posted onto unprotected Amazon Web Services (AWS) buckets, which means it becomes possible to find the videos through an online search.
In a statement, Zoom (quoted by The Hill) said it “provides a safe and secure way for hosts to store recordings” and provides guides for how users can enhance their call security.”
And then followed with a warning: “Should hosts later choose to upload their meeting recordings anywhere else, we urge them to use extreme caution and be transparent with meeting participants, giving careful consideration to whether the meeting contains sensitive information and to participants’ reasonable expectations.”
Some of the exposed videos included training orientation for workers doing telehealth calls. Looking into the issue for Digital Journal, Chris DeRamus of DivvyCloud picks up on the issue in the context of the expansion in homeworking: “Amid the global pandemic, companies and individuals alike have been hastily adjusting to remote operations and increasingly utilizing digital communication platforms such as Zoom for work and personal use cases.”
DeRamus notes further: “As such, Zoom’s daily users have increased almost 2,000 percent in the past four months. However, this rapid adoption of Zoom has unearthed the discovery of personal Zoom videos left viewable on the open web, discoverable through simple online searches.”
In terms of the implications, DeRamus says: “With personally identifiable data as well as work and intimate conversations exposed, bad actors now have the ability to exploit this information and launch phishing attacks or other scam campaigns against Zoom users.”
There are general lessons that can be drawn from this, DeRamus explains: “Companies that hundreds of millions of global customers are relying on for business continuity and/or personal communications during this challenging time, must have stringent security measures in place. Every saved recording must require a unique file name that is not identical to any other recording, especially given that these files can be saved openly on the web in misconfigured public storage buckets. Negating necessary security steps will put the personal privacy and sensitive data of Zoom’s users at risk.”
As to what needs to happen next, DeRamus recommends: “Due to the current crisis and subsequent increase in demand for their product, Zoom may have had no choice but to speed up efforts and in doing so, made the tough choice between innovation and security leading to the resulting data breach. Had they been leveraging an automated security strategy however, they would have never had to make that choice.”
Furthermore, the analyst suggests: “The reality is that companies can accelerate innovation without loss of control in the cloud by leveraging automated security strategies that grant the ability to enforce policy, provide governance, impose compliance, and provide a framework for the processes developers should follow—all on a continuous, consistent basis. As a result, companies can innovate while maintaining security, they simply must adopt the proper cloud strategies and solutions.”
In related news, Popular Zoom Video Communications is facing a privacy suit for allegedly disclosing personal data to third parties without full user consent, according to Nasdaq.