Revenue staff working from home warned not to use Zoom

Employees were reporting issues with the use of Skype on mobile phones and on their computers with some asking to use Zoom instead.

An internal email warned however: “Using this as a work application would carry a risk of taxpayer information being scraped and used, primarily for targeted advertising but possibly for other purposes.” 

IT staff at Revenue working on an advisory for employees developed a watch-list on reasons not to use Zoom despite its convenience.

They said it was not “a product endorsed or supported by Revenue” for conferencing and that it was not encouraged for staff internal communications.

An advisory on “if you absolutely have to use Zoom” said users should always assume someone else can read, hear, or see what you are talking about and sharing.

They were also told “Zoombombing” was becoming common and that if you did not have to sign in for a meeting, then nobody else did.

“What started as a prank is now being used to record meetings and gather information by cybercriminals, said the advisory.

Revenue staff were told that sensitive material should not be shared through a Zoom channel.

The internal advisory said: “Privacy is not top of their agenda; up until recently Zoom have shared all cloud stored recordings, files, and transcripts with Facebook.

“They continue to share such information with advertising agencies and in their terms and conditions you agree they have a right to access and share all data and material that is transferred through their platform.” 

Tax officials were warned to watch out in particular for links in Zoom chat that might look genuine.

Attackers are crafting links to look like a shared file but in reality it links their system to a file on your system that could allow remote access or even upload your saved passwords to them.

Even after advice had issued about use of Skype and that Zoom would not be supported, Revenue still continued to get queries from staff.

One of their IT officials wrote jokingly: “Staff taking it on themselves [to use] Zoom internally — if only there was a mail about Skype gone out.” 

Revenue was also contacted by Europol and advised to cease use of Zoom.

An Irish detective sergeant based with the EU police agency forwarded concerns about bugs that could be abused to steal Windows passwords, or be used to take over the webcam and microphone on a Mac computer.

It also included other vulnerabilities and other security concerns, saying: “You are advised to refrain from using Zoom for conference calls.” 

Internal records also discuss the possibility of prohibiting access to Zoom on Revenue computer networks.

One email said: “Not sure we could block it completely, hopefully staff will follow directive.” 

A response said that a block on the Revenue system “should take care of the majority … if they want to use it from their laptop at home, then that’s up to them.”