Information Technology Services, Department of Public Safety Investigating Feb. 17 ‘Zoombombing’ Incident

Syracuse University’s Information Technology Services (ITS) and the Department of Public Safety are investigating a reported “Zoombombing” incident that occurred on Wednesday, Feb. 17, during a virtual meeting of a student organization.

A participant reported that an unknown individual hacked the open session, repeatedly typed a racist epithet in the chat function and played offensive music. The organizer of the Zoom session quickly transitioned the open Zoom session to a private session and apologized to all participants.

The organizer notified the Department of Public Safety—who in turn contacted ITS. A full investigation is underway. At this time, it is unclear from where the hack occurred and whether the hacker has any affiliation with the University.

“Whether or not this individual has an affiliation with the University, this kind of racist behavior is appalling and has no role in our learning and living community,” says Chief Bobby Maldonado. “We will work with the appropriate law enforcement, as well as ITS, to investigate who is responsible and hold them accountable.”

“Zoombombing has been on the rise in the past year, particularly on college campuses, given the move to virtual learning,” says Samuel J. Scozzafava Jr., vice president for information technology and chief information officer. “It is critically important that all members of our community take the necessary precautions to secure their Zoom sessions to prevent hacking and to ensure a smooth and uneventful virtual learning and engagement experience.”

ITS recommends taking the following steps when hosting a Zoom session:

Automatically Generate a Meeting ID: Your Personal Meeting ID (PMI) may accidentally be made public. Therefore, when configuring the meeting ID, select “Generate Automatically.” This ensures that a unique meeting ID is used for every meeting.

Require Meeting Password: Under “meeting options” select “Require meeting password,” then choose a password of at least 8 characters and a mix of upper case, lower case, numbers and symbols. Participants will need to provide this before joining the meeting. This password will be placed in the invite email by default.  Organizers of highly sensitive meetings should consider removing this password from the invite before sending it out and distributing the password via a text message or telephone call.

Enable the Waiting Room Feature: Turning on the waiting room feature allows the meeting organizer to admit people as they arrive. This will significantly reduce the chance that unwanted attendees will be able to join the meeting.

Disable “Join Before Host:” Although this option is convenient if the organizer of the meeting is late to the meeting, when this is enabled, the first person to join the meeting is made host and has total control over the meeting.

Limit Screen Sharing to Host: By default, only the host is permitted the ability to share a screen. This helps prevent bad actors from sharing screens with inappropriate content. During the meeting, the host may grant permission to additional users if need be. When practical, this setting should be left as default, but some meetings may require numerous attendees to share their screen in which case organizers may consider de-selecting it.

Remove Participants from Meetings: If an unwanted attendee has joined a meeting, the meeting host may remove that user through the Manage Participants panel.

Lock the Meeting: Hosts and cohosts may choose to lock a meeting once all expected attendees have joined. This prevents unwanted attendees from attempting to enter and disrupt the meeting.

Record Meeting Automatically: This feature is turned off by default. If organizers turn this feature on, they will have the option to select “locally” or “in the cloud” to save their meetings. If a meeting contains any sensitive information, and until Zoom security is better understood, organizers should select “locally” instead of “in the cloud” and then share the recording through a University managed system such as shared drives or One Drive.

Request Help from or Report an Issue to ITS: For Zoom-related support or to report an issue, contact the ITS Help Desk by calling at 315.443.2677 or by emailing help@syr.edu.

If you have information about this incident or others, please call the DPS at 315.443.2224. If you would like to anonymously report NON-EMERGENCY information for DPS, you can use the Silent Witness tool or the Rave Guardian mobile app. To report a bias incident or to receive support, visit the Stop Bias website.