IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

FTC threatens legal action against companies failing to patch Log4Shell

The agency appears to be cracking down on the widespread security flaw as attack attempts remained high over the holiday period

The Federal Trade Commission (FTC) has issued a warning saying it will pursue legal action against any US company found to have put consumer data at risk by not properly mitigating Log4Shell.

The FTC said in its alert that Log4Shell poses a severe risk to millions of consumer products and enterprise applications, adding that there is a significant risk of data loss in a data breach made possible through the vulnerability, tracked as CVE-2021-44228.

"The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act," said the FTC. "It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action."

Equifax's infamous data breach was referenced by the FTC in its warning to all US businesses, saying it failed to patch a known vulnerability, lost data belonging to 147 million people, and paid $700 million (£517 million) to settle the actions by the FTC and Consumer Finance Protection Bureau. 

"The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future," it said.

The FTC encouraged businesses to follow guidance issued by the US Cybersecurity and Infrastructure Security Agency:

  • Update your Log4j software package to the most current version found here
  • Consult CISA guidance to mitigate this vulnerability.   
  • Ensure remedial steps are taken to ensure that your company’s practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act. 
  • Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable. 

Log4Shell is the exploitable vulnerability in the widely used log4j library, discovered in December, and is still under active exploitation from cyber attackers. The volume of ongoing attack attempts has prompted great concern from the cyber security community about how impactful a successful attack could be.

Microsoft updated its blog on Log4Shell earlier this week echoing the concerns of the wider industry about the scale of attacks leveraging the vulnerability in log4j. The company said the vulnerability presents a "complex and high-risk situation for companies across the globe". 

Related Resource

Global security insights report 2021

Extended enterprise under threat

Whitepaper front coverFree download

The security flaw is so widespread in applications and services that it's difficult to understand how vulnerable any given environment actually is. Microsoft advised customers to run scripts and scanning tools to assess their exposure. 

"Exploitation attempts and testing have remained high during the last weeks of December," said Microsoft. "We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks. Organisations may not realise their environments may already be compromised.

"Microsoft recommends customers to do additional review of devices where vulnerable installations are discovered," it added. "At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments. Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance."

Featured Resources

Join the 90% of enterprises accelerating to the cloud

Business transformation through digital modernisation

Free Download

Delivering on demand: Momentum builds toward flexible IT

A modern digital workplace strategy

Free download

Modernise the workforce experience

Actionable insights and an optimised experience for both IT and end users

Free Download

The digital workplace roadmap

A leader's guide to strategy and success

Free Download

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021

Most Popular

Universities are fighting a cyber security war on multiple fronts
cyber security

Universities are fighting a cyber security war on multiple fronts

4 Jul 2022
Hackers claim to steal personal data of over a billion people in China
data breaches

Hackers claim to steal personal data of over a billion people in China

4 Jul 2022
Latest LockBit ransomware strain 'strikingly similar' to BlackMatter
ransomware

Latest LockBit ransomware strain 'strikingly similar' to BlackMatter

4 Jul 2022