Zoom
Company Details
Linkedin ID:
zoom
Website:
Employees number:
11,719
Number of followers:
631,702
NAICS:
5415
Industry Type:
Homepage:
www.zoom.com
IP Addresses:
0
Company ID:
ZOO_2866788
Scan Status:
In-progress
Zoom Company CyberSecurity Posture
www.zoom.com
Bring teams together, reimagine workspaces, engage new audiences, and delight your customers –– all on the Zoom AI-first work platform you know and love. 💙 Zoomies help people stay connected so they can get more done together. We set out on a mission to make video communications frictionless and secure by building the world’s best video product for the enterprise, but we didn’t stop there. With products like AI Companion, Team Chat, Contact Center, Phone, Events, Rooms, Webinar, Contact Center and more, we bring innovation to a wide variety of customers, from the conference room to the classroom, from doctor’s offices to financial institutions to government agencies, from global brands to small businesses. We do what we do because of our core value of Care: care for our community, our customers, our company, our teammates, and ourselves. Our global employees help our customers meet happier, communicate better, and create meaningful connections the world over. Zoomies are problem-solvers and self-starters, working hard to get results and moving quickly to design solutions with our customers and users in mind. Here, you'll find room to grow with opportunities to stretch your skills and advance your career in a collaborative, growth-focused environment. Learn more about careers at Zoom by visiting our careers site: https://careers.zoom.us/home
Zoom A.I CyberSecurity Scoring
Zoom Risk Score (AI oriented)Between 750 and 799
Zoom
Updated:
- Powered by our proprietary A.I cyber incident model
- Insurance preferes TPRM score to calculate premium
Zoom Global Score (TPRM)XXXX
Zoom
- Instant access to detailed risk factors
- Benchmark vs. industry & size peers
- Vulnerabilities
- Findings
Zoom Company CyberSecurity News & History
Past Incidents
2
Attack Types
2
Zoom
Breach
Rankiteo Explanation
Attack limited on finance or reputation
Description: In 2021, Zoom faced a **$85 million class-action lawsuit settlement** due to allegations of **wrongful data sharing with third parties** and inadequate measures to prevent **unauthorized meeting disruptions ('Zoombombing')**. The lawsuit did not involve a traditional cyber breach, hacking, or data exfiltration but centered on **violations of privacy laws**, including improper handling of user data and failure to disclose tracking practices transparently. Plaintiffs argued that Zoom collected, shared, and mishandled personal information without proper consent, violating statutes like the **California Invasion of Privacy Act (1967)** and **federal wiretapping laws**. The case highlighted **non-breach privacy risks**, where companies face legal and financial repercussions for **non-compliance with data protection regulations** rather than direct cyberattacks. The settlement underscored the growing threat of **privacy litigation** tied to website tracking, data collection, and regulatory non-adherence, even without a security incident.
Zoom
Vulnerability
Rankiteo Explanation
Attack without any consequences: Attack in which data is not compromised
Description: Recently, two vulnerabilities were discovered in specific Zoom Clients for Windows, which could enable attackers to launch Denial of Service (DoS) attacks. These flaws, tracked under CVE-2025-49464 and CVE-2025-46789, were reported by security researcher fre3dm4n and carry a Medium severity rating with a CVSS score of 6.5 each. The vulnerabilities stem from a classic buffer overflow issue in the affected Zoom products. This flaw could enable an authorized user with network access to exploit the system, causing a DoS condition that disrupts service availability. The CVSS vector string for both issues indicates a high impact on availability, though confidentiality and integrity remain unaffected. The potential for disruption is significant for organizations relying on Zoom for communication. The vulnerabilities impact multiple Zoom products for Windows, with slight variations in affected versions between the two CVEs.
Zoom Company Scoring based on AI Models
Cyber Incidents Likelihood 3 - 6 - 9 months
A.I Risk Score Likelihood 3 - 6 - 9 months
Underwriter Stats for Zoom
Incidents vs IT Services and IT Consulting Industry Average (This Year)
Zoom has 78.57% more incidents than the average of same-industry companies with at least one recorded incident.
Incidents vs All-Companies Average (This Year)
Zoom has 53.85% more incidents than the average of all companies with at least one recorded incident.
Incident Types Zoom vs IT Services and IT Consulting Industry Avg (This Year)
Zoom reported 1 incidents this year: 0 cyber attacks, 0 ransomware, 1 vulnerabilities, 0 data breaches, compared to industry peers with at least 1 incident.
Incident History — Zoom (X = Date, Y = Severity)
Zoom cyber incidents detection timeline including parent company and subsidiaries
Zoom Company Subsidiaries
Bring teams together, reimagine workspaces, engage new audiences, and delight your customers –– all on the Zoom AI-first work platform you know and love. 💙 Zoomies help people stay connected so they can get more done together. We set out on a mission to make video communications frictionless and secure by building the world’s best video product for the enterprise, but we didn’t stop there. With products like AI Companion, Team Chat, Contact Center, Phone, Events, Rooms, Webinar, Contact Center and more, we bring innovation to a wide variety of customers, from the conference room to the classroom, from doctor’s offices to financial institutions to government agencies, from global brands to small businesses. We do what we do because of our core value of Care: care for our community, our customers, our company, our teammates, and ourselves. Our global employees help our customers meet happier, communicate better, and create meaningful connections the world over. Zoomies are problem-solvers and self-starters, working hard to get results and moving quickly to design solutions with our customers and users in mind. Here, you'll find room to grow with opportunities to stretch your skills and advance your career in a collaborative, growth-focused environment. Learn more about careers at Zoom by visiting our careers site: https://careers.zoom.us/home
Loading...
Zoom Similar Companies
Indra (www.indracompany.com) is one of the leading global defence, aerospace and technology companies, and a world leader in digital transformation and information technologies in Spain and Latin America through its subsidiary, Minsait. Its business model is based on a comprehensive range of proprie
LexisNexis
LexisNexis Legal & Professional is a leading global provider of legal, regulatory and business information and analytics that help customers increase productivity, improve decision-making and outcomes, and advance the rule of law around the world. We help lawyers win cases, manage their work more e
ITC Infotech
ITC Infotech is a global technology solution and services leader providing business-friendly solutions, that enable future-readiness for clients. We seamlessly bring together digital expertise, strong industry-specific alliances, and deep domain expertise from ITC Group businesses. Our solutions and
Stefanini Brasil
A Stefanini é uma multinacional brasileira que atua no setor de serviços em TI. Com um suporte em mais de 30 idiomas, a Stefanini, 5ª empresa mais internacionalizada, segundo a Fundação Dom Cabral, atua em mais de 35 países e e está entre as 100 maiores empresas de TI do mundo (BBC News). Uma das ma
IGT Solutions
IGT Solutions is a next-gen customer experience (CX) company, defining and delivering AI-led transformative experiences for the global and most innovative brands using digital technologies. With the combination of Digital and Human Intelligence, IGT becomes the preferred partner for managing end-to-
Avanade
Avanade is the world’s leading expert on Microsoft. Trusted by over 7,000 clients worldwide, we deliver AI-driven solutions that unlock the full potential of people and technology, optimize operations, foster innovation and drive growth. As Microsoft’s Global SI Partner we combine global scale with
Verizon
We get you. You want more out of a career. A place to share your ideas freely — even if they’re daring or different. Where the true you can learn, grow, and thrive. You’ll find all that here. Because we empower you. We power and empower how people live, work and play by connecting them to what bri
Orange Business
At Orange Business, our ambition is to become the leading European Network and Digital Integrator by leveraging our proven expertise in next-generation connectivity solutions, the cloud and cybersecurity. Our 30,000 women and men are present in 65 countries, where every voice counts. Together, we
HCLTech
HCLTech is a global technology company, home to more than 220,000 people across 60 countries, delivering industry-leading capabilities centered around digital, engineering, cloud and AI, powered by a broad portfolio of technology services and products. We work with clients across all major verticals
.png)
Zoom CyberSecurity News
November 11, 2025 08:00 AM
Zoom Vulnerabilities Let Attackers Bypass Access Controls to Access Session Data
Zoom has issued multiple security bulletins detailing patches for several vulnerabilities affecting its Workplace applications.
November 11, 2025 08:00 AM
Zoom Workplace for Windows Vulnerability Allows Users to Escalate Privileges
A new security vulnerability has been discovered in Zoom Workplace VDI Client for Windows that could allow attackers to escalate their...
November 11, 2025 08:00 AM
Zoom Workplace for Windows Vulnerability Allow Users to Escalate Privilege
A vulnerability discovered in Zoom Workplace VDI Client for Windows that allow attackers to gain elevated privileges on affected systems.
October 22, 2025 07:00 AM
Ukraine Aid Groups Targeted Through Fake Zoom Meetings and Weaponized PDF Files
Cybersecurity researchers have disclosed details of a coordinated spear-phishing campaign dubbed PhantomCaptcha targeting organizations...
September 18, 2025 07:00 AM
Apollo Micro Systems Forges Cybersecurity Alliances with Sibersentinel and Zoom Technologies
Apollo Micro Systems Forges Cybersecurity Alliances with Sibersentinel and Zoom Technologies ... Apollo Micro Systems Limited (AMSL) has signed...
September 18, 2025 07:00 AM
Apollo Micro Systems Ties Up with Sibersentinel, Zoom for Cybersecurity Technologies
Apollo Micro Systems Ties Up with Sibersentinel, Zoom for Cybersecurity Technologies. Published on 09/18/2025 at 06:03 am EDT. MT Newswires.
September 09, 2025 07:00 AM
Zoom Releases Security Update Patching Multiple Vulnerabilities
Zoom has released a security update addressing several flaws in its software, including Zoom Workplace and various Windows and macOS clients...
September 09, 2025 07:00 AM
Zoom Security Update - Patch for Multiple Vulnerabilities in Clients for Windows and macOS
Zoom released a security update addressing multiple vulnerabilities in its software, including Zoom Workplace and various clients for...
September 09, 2025 07:00 AM
Zoom Security Update Fixes Vulnerabilities in Windows Client and Workplace Platform
Zoom has released an urgent security update for its Windows client and Workplace platform to address multiple flaws.
Frequently Asked Questions
Explore insights on cybersecurity incidents, risk posture, and Rankiteo's assessments.
Zoom CyberSecurity History Information
Official Website of Zoom
The official website of Zoom is www.zoom.com.
Zoom’s AI-Generated Cybersecurity Score
According to Rankiteo, Zoom’s AI-generated cybersecurity score is 799, reflecting their Fair security posture.
How many security badges does Zoom’ have ?
According to Rankiteo, Zoom currently holds 0 security badges, indicating that no recognized compliance certifications are currently verified for the organization.
Does Zoom have SOC 2 Type 1 certification ?
According to Rankiteo, Zoom is not certified under SOC 2 Type 1.
Does Zoom have SOC 2 Type 2 certification ?
According to Rankiteo, Zoom does not hold a SOC 2 Type 2 certification.
Does Zoom comply with GDPR ?
According to Rankiteo, Zoom is not listed as GDPR compliant.
Does Zoom have PCI DSS certification ?
According to Rankiteo, Zoom does not currently maintain PCI DSS compliance.
Does Zoom comply with HIPAA ?
According to Rankiteo, Zoom is not compliant with HIPAA regulations.
Does Zoom have ISO 27001 certification ?
According to Rankiteo,Zoom is not certified under ISO 27001, indicating the absence of a formally recognized information security management framework.
Industry Classification of Zoom
Zoom operates primarily in the IT Services and IT Consulting industry.
Number of Employees at Zoom
Zoom employs approximately 11,719 people worldwide.
Subsidiaries Owned by Zoom
Zoom presently has no subsidiaries across any sectors.
Zoom’s LinkedIn Followers
Zoom’s official LinkedIn profile has approximately 631,702 followers.
NAICS Classification of Zoom
Zoom is classified under the NAICS code 5415, which corresponds to Computer Systems Design and Related Services.
Zoom’s Presence on Crunchbase
No, Zoom does not have a profile on Crunchbase.
Zoom’s Presence on LinkedIn
Yes, Zoom maintains an official LinkedIn profile, which is actively utilized for branding and talent engagement, which can be accessed here: https://www.linkedin.com/company/zoom.
Cybersecurity Incidents Involving Zoom
As of December 10, 2025, Rankiteo reports that Zoom has experienced 2 cybersecurity incidents.
Number of Peer and Competitor Companies
Zoom has an estimated 37,378 peer or competitor companies worldwide.
What types of cybersecurity incidents have occurred at Zoom ?
Incident Types: The types of cybersecurity incidents that have occurred include Vulnerability and Breach.
What was the total financial impact of these incidents on Zoom ?
Total Financial Loss: The total financial loss from these incidents is estimated to be $85 million.
How does Zoom detect and respond to cybersecurity incidents ?
Detection and Response: The company detects and responds to cybersecurity incidents through an remediation measures with apply the latest patches, and third party assistance with cyber insurers (e.g., resilience, axa xl, travelers), third party assistance with legal counsel, third party assistance with privacy consultants, and remediation measures with removal of unnecessary tracking tools (e.g., pixels), remediation measures with annual privacy policy updates, remediation measures with opt-in consent banners on websites, remediation measures with ai-driven privacy policy audits, and recovery measures with legal defense strategies, recovery measures with compliance program enhancements, and communication strategy with public settlements (e.g., zoom), communication strategy with regulatory disclosures, and enhanced monitoring with website tracking technology scans (e.g., by travelers)..
Incident Details
Can you provide details on each incident ?
Title: Zoom Client Vulnerabilities Enable DoS Attacks
Description: Two vulnerabilities (CVE-2025-49464 and CVE-2025-46789) discovered in Zoom Clients for Windows can enable attackers to launch Denial of Service (DoS) attacks.
Type: Vulnerability Exploitation
Attack Vector: Buffer Overflow
Vulnerability Exploited: CVE-2025-49464CVE-2025-46789
Motivation: Disruption of Service
Title: Non-Breach Privacy Exposures and Lawsuits in Cyber Insurance
Description: Companies face cyber exposures and lawsuits due to violations of federal/state privacy laws in data collection, handling, or sharing—without a traditional security breach. Examples include Zoom's $85M settlement (2021) for sharing user data with third parties and failing to prevent 'Zoombombing.' Rising privacy regulations (e.g., California AB 656, GDPR-like state laws) and plaintiff lawsuits (e.g., under VPPA, BIPA, or wiretapping statutes) exacerbate risks. Insurers vary in covering non-breach privacy claims, with some offering base coverage, endorsements, or exclusions. Mitigation strategies include auditing website tracking tools, updating privacy policies, and opt-in consent banners.
Type: Privacy Violation
Threat Actor: Plaintiff AttorneysRegulatory Bodies
Motivation: Financial Gain (Litigation)Regulatory EnforcementConsumer Protection
What are the most common types of attacks the company has faced ?
Common Attack Types: The most common types of attacks the company has faced is Breach.
Impact of the Incidents
What was the impact of each incident ?
Incident : Vulnerability Exploitation ZOO619070925
Systems Affected: Zoom Workplace for WindowsZoom Workplace VDI for WindowsZoom Rooms for WindowsZoom Rooms Controller for WindowsZoom Meeting SDK for Windows
Operational Impact: Disruption of Communication Services
Incident : Privacy Violation ZOO35103935112525
Financial Loss: $85M (Zoom settlement, 2021)
Operational Impact: Legal Defense CostsReputation DamageCompliance Overhead
Customer Complaints: ['Class-Action Lawsuits', 'Privacy Violations']
Brand Reputation Impact: High (due to publicized lawsuits and regulatory scrutiny)
Legal Liabilities: Class-Action SettlementsRegulatory Fines (Potential)Statutory Damages
What is the average financial loss per incident ?
Average Financial Loss: The average financial loss per incident is $42.50 million.
Which entities were affected by each incident ?
Incident : Vulnerability Exploitation ZOO619070925
Entity Name: Zoom
Entity Type: Software Company
Industry: Communication Technology
Incident : Privacy Violation ZOO35103935112525
Entity Name: Zoom Video Communications
Entity Type: Public Company
Industry: Technology (Video Conferencing)
Location: San Jose, California, USA
Size: Large (Enterprise)
Customers Affected: Millions (class-action plaintiffs)
Incident : Privacy Violation ZOO35103935112525
Entity Name: Unspecified Companies (General)
Entity Type: Public, Private, SMEs
Industry: Online Retail, Technology, Any Data-Collecting Entity
Location: Global (Primarily USA, EU)
Response to the Incidents
What measures were taken in response to each incident ?
Incident : Vulnerability Exploitation ZOO619070925
Remediation Measures: Apply the latest patches
Incident : Privacy Violation ZOO35103935112525
Third Party Assistance: Cyber Insurers (E.G., Resilience, Axa Xl, Travelers), Legal Counsel, Privacy Consultants.
Remediation Measures: Removal of unnecessary tracking tools (e.g., pixels)Annual privacy policy updatesOpt-in consent banners on websitesAI-driven privacy policy audits
Recovery Measures: Legal Defense StrategiesCompliance Program Enhancements
Communication Strategy: Public Settlements (e.g., Zoom)Regulatory Disclosures
Enhanced Monitoring: Website tracking technology scans (e.g., by Travelers)
How does the company involve third-party assistance in incident response ?
Third-Party Assistance: The company involves third-party assistance in incident response through Cyber Insurers (e.g., Resilience, Axa XL, Travelers), Legal Counsel, Privacy Consultants, .
Data Breach Information
What measures does the company take to prevent data exfiltration ?
Prevention of Data Exfiltration: The company takes the following measures to prevent data exfiltration: Apply the latest patches, Removal of unnecessary tracking tools (e.g., pixels), Annual privacy policy updates, Opt-in consent banners on websites, AI-driven privacy policy audits, .
Ransomware Information
How does the company recover data encrypted by ransomware ?
Data Recovery from Ransomware: The company recovers data encrypted by ransomware through Legal Defense Strategies, Compliance Program Enhancements, .
Regulatory Compliance
Were there any regulatory violations and fines imposed for each incident ?
Incident : Privacy Violation ZOO35103935112525
Regulations Violated: California Invasion of Privacy Act (1967), Federal Video Privacy Protection Act (VPPA, 1988), Illinois Biometric Information Privacy Act (BIPA, 2008), State Wiretapping Statutes, California AB 656 (2023, Social Media Data Deletion), GDPR-like State Laws (e.g., CCPA),
Fines Imposed: ['$85M (Zoom settlement)', 'Potential fines under BIPA/VPPA']
Legal Actions: Class-Action Lawsuits, Regulatory Investigations,
Regulatory Notifications: California AB 656 ComplianceGDPR/EU-Aligned State Laws
How does the company ensure compliance with regulatory requirements ?
Ensuring Regulatory Compliance: The company ensures compliance with regulatory requirements through Class-Action Lawsuits, Regulatory Investigations, .
Lessons Learned and Recommendations
What lessons were learned from each incident ?
Incident : Vulnerability Exploitation ZOO619070925
Lessons Learned: Ensuring that software is up to date is critical in safeguarding against potential exploits.
Incident : Privacy Violation ZOO35103935112525
Lessons Learned: Non-breach privacy risks (e.g., wrongful data collection/sharing) are as critical as traditional breaches., Proactive website audits (e.g., tracking tools, pixels) reduce litigation risks., Clear privacy policies and opt-in consent mechanisms are essential for compliance., Cyber insurance coverage for non-breach privacy claims varies widely; policy reviews are critical., Regulatory proliferation (e.g., state-level GDPR-like laws) increases plaintiff opportunities.
What recommendations were made to prevent future incidents ?
Incident : Vulnerability Exploitation ZOO619070925
Recommendations: Stay vigilant about software updates to protect against buffer overflow issues.
Incident : Privacy Violation ZOO35103935112525
Recommendations: Conduct annual reviews of website tracking technologies (e.g., pixels, cookies)., Implement opt-in consent banners for data collection., Update privacy policies to align with evolving regulations (e.g., CCPA, BIPA)., Work with insurers/underwriters to assess non-breach privacy exposures., Use AI tools to audit privacy policies for required disclosures., Remove unnecessary data collection tools lacking clear business justification., Monitor regulatory changes (e.g., California AB 656) and adjust compliance programs.Conduct annual reviews of website tracking technologies (e.g., pixels, cookies)., Implement opt-in consent banners for data collection., Update privacy policies to align with evolving regulations (e.g., CCPA, BIPA)., Work with insurers/underwriters to assess non-breach privacy exposures., Use AI tools to audit privacy policies for required disclosures., Remove unnecessary data collection tools lacking clear business justification., Monitor regulatory changes (e.g., California AB 656) and adjust compliance programs.Conduct annual reviews of website tracking technologies (e.g., pixels, cookies)., Implement opt-in consent banners for data collection., Update privacy policies to align with evolving regulations (e.g., CCPA, BIPA)., Work with insurers/underwriters to assess non-breach privacy exposures., Use AI tools to audit privacy policies for required disclosures., Remove unnecessary data collection tools lacking clear business justification., Monitor regulatory changes (e.g., California AB 656) and adjust compliance programs.Conduct annual reviews of website tracking technologies (e.g., pixels, cookies)., Implement opt-in consent banners for data collection., Update privacy policies to align with evolving regulations (e.g., CCPA, BIPA)., Work with insurers/underwriters to assess non-breach privacy exposures., Use AI tools to audit privacy policies for required disclosures., Remove unnecessary data collection tools lacking clear business justification., Monitor regulatory changes (e.g., California AB 656) and adjust compliance programs.Conduct annual reviews of website tracking technologies (e.g., pixels, cookies)., Implement opt-in consent banners for data collection., Update privacy policies to align with evolving regulations (e.g., CCPA, BIPA)., Work with insurers/underwriters to assess non-breach privacy exposures., Use AI tools to audit privacy policies for required disclosures., Remove unnecessary data collection tools lacking clear business justification., Monitor regulatory changes (e.g., California AB 656) and adjust compliance programs.Conduct annual reviews of website tracking technologies (e.g., pixels, cookies)., Implement opt-in consent banners for data collection., Update privacy policies to align with evolving regulations (e.g., CCPA, BIPA)., Work with insurers/underwriters to assess non-breach privacy exposures., Use AI tools to audit privacy policies for required disclosures., Remove unnecessary data collection tools lacking clear business justification., Monitor regulatory changes (e.g., California AB 656) and adjust compliance programs.Conduct annual reviews of website tracking technologies (e.g., pixels, cookies)., Implement opt-in consent banners for data collection., Update privacy policies to align with evolving regulations (e.g., CCPA, BIPA)., Work with insurers/underwriters to assess non-breach privacy exposures., Use AI tools to audit privacy policies for required disclosures., Remove unnecessary data collection tools lacking clear business justification., Monitor regulatory changes (e.g., California AB 656) and adjust compliance programs.
What are the key lessons learned from past incidents ?
Key Lessons Learned: The key lessons learned from past incidents are Ensuring that software is up to date is critical in safeguarding against potential exploits.Non-breach privacy risks (e.g., wrongful data collection/sharing) are as critical as traditional breaches.,Proactive website audits (e.g., tracking tools, pixels) reduce litigation risks.,Clear privacy policies and opt-in consent mechanisms are essential for compliance.,Cyber insurance coverage for non-breach privacy claims varies widely; policy reviews are critical.,Regulatory proliferation (e.g., state-level GDPR-like laws) increases plaintiff opportunities.
What recommendations has the company implemented to improve cybersecurity ?
Implemented Recommendations: The company has implemented the following recommendations to improve cybersecurity: Stay vigilant about software updates to protect against buffer overflow issues..
References
Where can I find more information about each incident ?
Incident : Privacy Violation ZOO35103935112525
Source: Business Insurance - 'Non-breach privacy exposures a growing concern'
Incident : Privacy Violation ZOO35103935112525
Source: Zoom $85M Class-Action Settlement (2021)
Incident : Privacy Violation ZOO35103935112525
Source: California AB 656 (2023)
URL: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240AB656
Incident : Privacy Violation ZOO35103935112525
Source: Video Privacy Protection Act (VPPA, 1988)
Incident : Privacy Violation ZOO35103935112525
Source: Illinois Biometric Information Privacy Act (BIPA, 2008)
Where can stakeholders find additional resources on cybersecurity best practices ?
Additional Resources: Stakeholders can find additional resources on cybersecurity best practices at and Source: Business Insurance - 'Non-breach privacy exposures a growing concern', and Source: Zoom $85M Class-Action Settlement (2021), and Source: California AB 656 (2023)Url: https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240AB656, and Source: Video Privacy Protection Act (VPPA, 1988), and Source: Illinois Biometric Information Privacy Act (BIPA, 2008).
Investigation Status
What is the current status of the investigation for each incident ?
Incident : Privacy Violation ZOO35103935112525
Investigation Status: Ongoing (Industry-Wide Trend)
How does the company communicate the status of incident investigations to stakeholders ?
Communication of Investigation Status: The company communicates the status of incident investigations to stakeholders through Public Settlements (E.G., Zoom) and Regulatory Disclosures.
Stakeholder and Customer Advisories
Were there any advisories issued to stakeholders or customers for each incident ?
Incident : Privacy Violation ZOO35103935112525
Stakeholder Advisories: Cyber Insurers Recommend Proactive Privacy Risk Assessments., Legal Counsel Advises On Compliance With State/Federal Privacy Laws., Underwriters Focus On Website Data Collection/Sharing Practices..
Customer Advisories: Companies should disclose data collection practices transparently.Users may request data deletion under laws like California AB 656.
What advisories does the company provide to stakeholders and customers following an incident ?
Advisories Provided: The company provides the following advisories to stakeholders and customers following an incident: were Cyber Insurers Recommend Proactive Privacy Risk Assessments., Legal Counsel Advises On Compliance With State/Federal Privacy Laws., Underwriters Focus On Website Data Collection/Sharing Practices., Companies Should Disclose Data Collection Practices Transparently., Users May Request Data Deletion Under Laws Like California Ab 656. and .
Post-Incident Analysis
What were the root causes and corrective actions taken for each incident ?
Incident : Vulnerability Exploitation ZOO619070925
Root Causes: Buffer overflow in Zoom products
Corrective Actions: Apply patches to affected Zoom products
Incident : Privacy Violation ZOO35103935112525
Root Causes: Lack Of Transparency In Data Collection/Sharing (E.G., Zoom)., Overuse Of Tracking Technologies (E.G., Pixels) Without Consent., Non-Compliance With Evolving Privacy Regulations (E.G., Bipa, Vppa)., Inadequate Privacy Policy Disclosures.,
Corrective Actions: Enhanced Privacy Policy Disclosures., Removal Of Non-Essential Tracking Tools., Opt-In Consent Mechanisms For Data Collection., Regular Compliance Audits (E.G., Annual Privacy Policy Reviews)., Collaboration With Insurers For Risk Mitigation.,
What is the company's process for conducting post-incident analysis ?
Post-Incident Analysis Process: The company's process for conducting post-incident analysis is described as Cyber Insurers (E.G., Resilience, Axa Xl, Travelers), Legal Counsel, Privacy Consultants, , Website Tracking Technology Scans (E.G., By Travelers), .
What corrective actions has the company taken based on post-incident analysis ?
Corrective Actions Taken: The company has taken the following corrective actions based on post-incident analysis: Apply patches to affected Zoom products, Enhanced Privacy Policy Disclosures., Removal Of Non-Essential Tracking Tools., Opt-In Consent Mechanisms For Data Collection., Regular Compliance Audits (E.G., Annual Privacy Policy Reviews)., Collaboration With Insurers For Risk Mitigation., .
Additional Questions
General Information
Who was the attacking group in the last incident ?
Last Attacking Group: The attacking group in the last incident was an Plaintiff AttorneysRegulatory Bodies.
Impact of the Incidents
What was the highest financial loss from an incident ?
Highest Financial Loss: The highest financial loss from an incident was $85M (Zoom settlement, 2021).
What was the most significant system affected in an incident ?
Most Significant System Affected: The most significant system affected in an incident was Zoom Workplace for WindowsZoom Workplace VDI for WindowsZoom Rooms for WindowsZoom Rooms Controller for WindowsZoom Meeting SDK for Windows.
Response to the Incidents
What third-party assistance was involved in the most recent incident ?
Third-Party Assistance in Most Recent Incident: The third-party assistance involved in the most recent incident was cyber insurers (e.g., resilience, axa xl, travelers), legal counsel, privacy consultants, .
Regulatory Compliance
What was the highest fine imposed for a regulatory violation ?
Highest Fine Imposed: The highest fine imposed for a regulatory violation was $85M (Zoom settlement), Potential fines under BIPA/VPPA, .
What was the most significant legal action taken for a regulatory violation ?
Most Significant Legal Action: The most significant legal action taken for a regulatory violation was Class-Action Lawsuits, Regulatory Investigations, .
Lessons Learned and Recommendations
What was the most significant lesson learned from past incidents ?
Most Significant Lesson Learned: The most significant lesson learned from past incidents was Regulatory proliferation (e.g., state-level GDPR-like laws) increases plaintiff opportunities.
What was the most significant recommendation implemented to improve cybersecurity ?
Most Significant Recommendation Implemented: The most significant recommendation implemented to improve cybersecurity was Conduct annual reviews of website tracking technologies (e.g., pixels, cookies)., Remove unnecessary data collection tools lacking clear business justification., Stay vigilant about software updates to protect against buffer overflow issues., Work with insurers/underwriters to assess non-breach privacy exposures., Update privacy policies to align with evolving regulations (e.g., CCPA, BIPA)., Use AI tools to audit privacy policies for required disclosures., Implement opt-in consent banners for data collection., Monitor regulatory changes (e.g. and California AB 656) and adjust compliance programs..
References
What is the most recent source of information about an incident ?
Most Recent Source: The most recent source of information about an incident are California AB 656 (2023), Illinois Biometric Information Privacy Act (BIPA, 2008), Business Insurance - 'Non-breach privacy exposures a growing concern', Zoom $85M Class-Action Settlement (2021), Video Privacy Protection Act (VPPA and 1988).
What is the most recent URL for additional resources on cybersecurity best practices ?
Most Recent URL for Additional Resources: The most recent URL for additional resources on cybersecurity best practices is https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=202320240AB656 .
Investigation Status
What is the current status of the most recent investigation ?
Current Status of Most Recent Investigation: The current status of the most recent investigation is Ongoing (Industry-Wide Trend).
Stakeholder and Customer Advisories
What was the most recent stakeholder advisory issued ?
Most Recent Stakeholder Advisory: The most recent stakeholder advisory issued was Cyber insurers recommend proactive privacy risk assessments., Legal counsel advises on compliance with state/federal privacy laws., Underwriters focus on website data collection/sharing practices., .
What was the most recent customer advisory issued ?
Most Recent Customer Advisory: The most recent customer advisory issued was an Companies should disclose data collection practices transparently.Users may request data deletion under laws like California AB 656.
Post-Incident Analysis
What was the most significant root cause identified in post-incident analysis ?
Most Significant Root Cause: The most significant root cause identified in post-incident analysis was Buffer overflow in Zoom products, Lack of transparency in data collection/sharing (e.g., Zoom).Overuse of tracking technologies (e.g., pixels) without consent.Non-compliance with evolving privacy regulations (e.g., BIPA, VPPA).Inadequate privacy policy disclosures..
What was the most significant corrective action taken based on post-incident analysis ?
Most Significant Corrective Action: The most significant corrective action taken based on post-incident analysis was Apply patches to affected Zoom products, Enhanced privacy policy disclosures.Removal of non-essential tracking tools.Opt-in consent mechanisms for data collection.Regular compliance audits (e.g., annual privacy policy reviews).Collaboration with insurers for risk mitigation..
.png)
Latest Global CVEs (Not Company-Specific)
Description
WeGIA is an open source Web Manager for Institutions with a focus on Portuguese language users. Versions 3.5.4 and below contain a Stored Cross-Site Scripting (XSS) vulnerability in the /WeGIA/html/geral/configurar_senhas.php endpoint. The application does not sanitize user-controlled data before rendering it inside the employee selection dropdown. The application retrieves employee names from the database and injects them directly into HTML <option> elements without proper escaping. This issue is fixed in version 3.5.5.
Risk Information
cvss3
Base: 4.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:L/UI:N/S:U/C:L/I:N/A:N
Description
ZITADEL is an open-source identity infrastructure tool. Versions 4.0.0-rc.1 through 4.7.0 are vulnerable to DOM-Based XSS through the Zitadel V2 logout endpoint. The /logout endpoint insecurely routes to a value that is supplied in the post_logout_redirect GET parameter. As a result, unauthenticated remote attacker can execute malicious JS code on Zitadel users’ browsers. To carry out an attack, multiple user sessions need to be active in the same browser, however, account takeover is mitigated when using Multi-Factor Authentication (MFA) or Passwordless authentication. This issue is fixed in version 4.7.1.
Risk Information
cvss3
Base: 8.0
Severity: HIGH
CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:C/C:H/I:H/A:N
Description
ZITADEL is an open-source identity infrastructure tool. Versions 4.7.0 and below are vulnerable to an unauthenticated, full-read SSRF vulnerability. The ZITADEL Login UI (V2) treats the x-zitadel-forward-host header as a trusted fallback for all deployments, including self-hosted instances. This allows an unauthenticated attacker to force the server to make HTTP requests to arbitrary domains, such as internal addresses, and read the responses, enabling data exfiltration and bypassing network-segmentation controls. This issue is fixed in version 4.7.1.
Risk Information
cvss3
Base: 9.3
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:L/A:N
Description
NiceGUI is a Python-based UI framework. Versions 3.3.1 and below are vulnerable to directory traversal through the App.add_media_files() function, which allows a remote attacker to read arbitrary files on the server filesystem. This issue is fixed in version 3.4.0.
Risk Information
cvss3
Base: 7.5
Severity: LOW
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:N
Description
FreePBX Endpoint Manager is a module for managing telephony endpoints in FreePBX systems. Versions are vulnerable to authentication bypass when the authentication type is set to "webserver." When providing an Authorization header with an arbitrary value, a session is associated with the target user regardless of valid credentials. This issue is fixed in versions 16.0.44 and 17.0.23.
Risk Information
cvss4
Base: 9.3
Severity: LOW
CVSS:4.0/AV:N/AC:L/AT:N/PR:N/UI:N/VC:H/VI:H/VA:H/SC:N/SI:N/SA:N/E:X/CR:X/IR:X/AR:X/MAV:X/MAC:X/MAT:X/MPR:X/MUI:X/MVC:X/MVI:X/MVA:X/MSC:X/MSI:X/MSA:X/S:X/AU:X/R:X/V:X/RE:X/U:X
References
- https://github.com/FreePBX/framework/commit/04224253156543cd9932b90458660b2f19fc0e35#diff-72f14a52840a61504a8e03cd195035b44e488aecd634b001bc6412a04bdc940bR20-R50
- https://github.com/FreePBX/security-reporting/security/advisories/GHSA-9jvh-mv6x-w698
- https://www.freepbx.org/watch-what-we-do-with-security-fixes-%f0%9f%91%80
Access Data Using Our API
Get company history
curl -i -X GET 'https://api.rankiteo.com/underwriter-getcompany-history?linkedin_id=zoom' -H 'apikey: YOUR_API_KEY_HERE'
RapidWhat Do We Measure ?
Incident
Finding
Grade
Digital Assets
Every week, Rankiteo analyzes billions of signals to give organizations a sharper, faster view of emerging risks. With deeper, more actionable intelligence at their fingertips, security teams can outpace threat actors, respond instantly to Zero-Day attacks, and dramatically shrink their risk exposure window.
These are some of the factors we use to calculate the overall score:
Network Security
Identify exposed access points, detect misconfigured SSL certificates, and uncover vulnerabilities across the network infrastructure.
SBOM (Software Bill of Materials)
Gain visibility into the software components used within an organization to detect vulnerabilities, manage risk, and ensure supply chain security.
CMDB (Configuration Management Database)
Monitor and manage all IT assets and their configurations to ensure accurate, real-time visibility across the company's technology environment.
Threat Intelligence
Leverage real-time insights on active threats, malware campaigns, and emerging vulnerabilities to proactively defend against evolving cyberattacks.
Rankiteo is a unified scoring and risk platform that analyzes billions of signals weekly to help organizations gain faster, more actionable insights into emerging threats. Empowering teams to outpace adversaries and reduce exposure.
