FTC warns of legal action against organizations that fail to patch Log4j flaw

U.S. organizations that fail to secure customer data against Log4Shell, a zero-day vulnerability in the widely used Log4j Java logging library, could face legal repercussions, the Federal Trade Commission (FTC) has warned.

In an alert this week, the consumer protection agency warned that the “serious” flaw, first discovered in December, is being exploited by a growing number of attackers and poses a “severe risk” to millions of consumer products. The public letter urges organizations to mitigate the vulnerability in order to reduce the likelihood of harm to consumers and to avoid potential legal action.

“When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss and other irreversible harms,” the agency said. “The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”

The FTC highlighted the case of Equifax, which failed to patch a known Apache Struts flaw back in 2017, leading to the compromise of sensitive info on 147 million consumers. The credit reporting agency subsequently agreed to pay $700 million to settle with the agency and individual states.

“The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j,” the FTC said, adding that it plans to apply its legal authority to protect consumers in the cases of “similar known vulnerabilities in the future.”

For organizations keen to dodge a potential multimillion-dollar fine, the FTC is encouraging that they follow guidance issued by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). This urges businesses to update Log4j software packages to the most recent version, to take steps to mitigate the vulnerability and to distribute information about the vulnerability to third-parties and consumers who may be vulnerable.

The FTC’s warning shot comes after Microsoft this week warned that the Log4Shell vulnerability remains a “complex and high-risk” situation for companies, adding that “exploitation attempts and testing remained high during the last weeks of December,” with lower-skilled attackers and nation-state actors alike taking advantage of the flaw.

“At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments,” it added. “Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance.”