A Zoom shareholder has filed a lawsuit against the video-conferencing company for allegedly covering up security vulnerabilities in its app.
The suit, filed April 7 in a San Francisco federal court, accuses top Zoom executives of failing to disclose flaws in the company’s software, now used by some 200 million people daily. Zoom misrepresented problems with the software’s encryption protocol, failed to disclose that it was sharing user data with Facebook and concealed the extent to which user data was vulnerable to hackers, according to the suit.
Zoom chief executive Eric Yuan apologized for security issues in a blog post Monday, saying the company intends to improve its practices.
Investor Michael Drieu filed the lawsuit amid ongoing scrutiny of San Jose-based Zoom’s data protection practices. The number of daily users has skyrocketed, up from 10 million in early March, according to the company, as much of the world’s white-collar workforce has responded to the coronavirus pandemic by working from home. The sudden uptick, combined with Zoom’s apparent inability to encrypt video meetings, has given rise to “Zoombombing,” in which white supremacists and internet trolls barge into users’ meetings.
Zoom’s stock price fell by 19.62%, or $29.77, between March 27 and April 2, as questions about the software security were mounting. During that period, New York State Attorney General Letitia James announced her office would investigate the firm’s data protection practices, and the FBI issued a public bulletin about Zoombombing.
The suit filed Tuesday is a class action matter.
Security researchers also have probed Zoom’s software to find that the company routed data through servers in China, potentially providing its government with access to sensitive data. Zoom owned three companies in China that employed some 700 workers, allowing the company to save on U.S labor costs, though also rendering its services vulnerable to “pressure” from Chinese authorities, the University of Toronto’s Citizen Lab said in a report last week. The arrangement also contributed to a flawed encryption strategy that was “not suited for secrets,” Citizen Lab said.
Zoom has stopped using that strategy for non-Chinese data, it says. Company executives also have said they plan to introduce end-to-end encryption in the coming months.
The suit is available in full below.