Gilroy’s virtual town hall was disrupted April 27 by a hacker who displayed video of child pornography during a meeting that was viewed by more than 100 people.
The meeting, which city officials hosted on the video-teleconferencing platform Zoom as well as on Facebook, gathered city department heads who were answering various questions from the public.
So-called “Zoom-bombing,” when a user logs into a public meeting and displays pornographic images or hate messages, has spread rapidly in online meetings throughout the country, as jurisdictions are forced to hold meetings virtually due to the COVID-19 pandemic, according to the FBI.
The Gilroy incident occurred 20 minutes into the 5:30pm meeting. As interim city administrator Jimmy Forbis was speaking, the image went dark before a video appeared of a toddler being raped by an unknown man.
The audio from the virtual town hall was still audible during the seconds-long clip, and Forbis could be heard exclaiming, “Oh my god.”
Once the video ended, the screen returned to the webcam images of the city officials for a few seconds before a different video showed another toddler engaged in a sexual act with a man.
At this time, Forbis spoke loudly into the microphone calling for the meeting to be cut off, because “we’re being hacked.”
Just before the meeting was shut down, Gilroy Police Chief Scot Smithee was heard saying the police department would be “sending out our local people.”
The incident lasted less than 30 seconds.
City officials released a statement on social media apologizing for the “deeply disturbing imagery.”
“Despite our quickest efforts, immediately shutting the meeting down, this imagery still made it to the public who were viewing and participating in the meeting,” the statement read. “We extend our deepest apologies to the community and all those affected by this disturbing incident. We will be evaluating security protocols for virtual meetings to prevent this type of incident in the future. As for now, Straight Talk with the City of Gilroy is postponed until further notice.”
In a statement, Forbis said the incident “was the most disturbing thing I’ve ever seen in my life.”
He added, “Every so often we get reminded that there are monsters living in our world. Tonight was one of those moments.”
Forbis said Gilroy Police is investigating, and added that the city is looking at different video conferencing platforms “that have better security and can ensure that we don’t have to go through that again.”
“I wanted to thank all of you that participated,” he said. “I was really enjoying the conversation and thought the questions were very well thought out and also very relevant given this time in the world.”
In a comment on the Gilroy Dispatch’s Facebook page, Denise Black-Jungling wrote that she was watching the meeting with her daughter, who is a high school student.
“We are so deeply disturbed,” she said. “She’s taking government this year and I thought this would be a good lesson. She learned too much about the world today.”
Others suggested different video-conferencing programs the city could use in the future.
“Zoom is crap for security,” John Newton wrote. “This is a known issue. Stupid that any government agency would use it.”
Zoom, a San Jose-based company founded in 2011, announced a number of new safety features for the program on April 22 as part of its “90-day plan” to increase its security capabilities.
“I am proud to reach this step in our 90-day plan, but this is just the beginning,” Zoom CEO Eric S. Yuan stated in a press release. “We built our business by delivering happiness to our customers. We will earn our customers’ trust and deliver them happiness with our unwavering focus on providing the most secure platform.”
In late March, the company released guidelines on how users could prevent “uninvited guests” from posting inappropriate content in their meetings. The FBI also released the following steps to mitigate teleconference hijacking threats:
• Do not make meetings or classrooms public. In Zoom, there are two options to make a meeting private: require a meeting password or use the waiting room feature and control the admittance of guests.
• Do not share a link to a teleconference or classroom on an unrestricted publicly available social media post. Provide the link directly to specific people.
• Manage screen sharing options. In Zoom, change screen sharing to “Host Only.”
• Ensure users are using the updated version of remote access/meeting applications. In Zoom’s security update, the teleconference software provider added passwords by default for meetings and disabled the ability to randomly scan for meetings to join.
• Lastly, ensure that your organization’s telework policy or guide addresses requirements for physical and information security.
Those who were a victim of a teleconference hijacking, or any cyber-crime, are asked to report it to the FBI’s Internet Crime Complaint Center at ic3.gov.