FTC threatens legal action against companies failing to patch Log4Shell

The agency appears to be cracking down on the widespread security flaw as attack attempts remained high over the holiday period

The Federal Trade Commission (FTC) has issued a warning saying it will pursue legal action against any US company found to have put consumer data at risk by not properly mitigating Log4Shell.

The FTC said in its alert that Log4Shell poses a severe risk to millions of consumer products and enterprise applications, adding that there is a significant risk of data loss in a data breach made possible through the vulnerability, tracked as CVE-2021-44228.

"The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act," said the FTC. "It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action."

Equifax's infamous data breach was referenced by the FTC in its warning to all US businesses, saying it failed to patch a known vulnerability, lost data belonging to 147 million people, and paid $700 million (£517 million) to settle the actions by the FTC and Consumer Finance Protection Bureau. 

"The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future," it said.

The FTC encouraged businesses to follow guidance issued by the US Cybersecurity and Infrastructure Security Agency:

  • Update your Log4j software package to the most current version found here
  • Consult CISA guidance to mitigate this vulnerability.   
  • Ensure remedial steps are taken to ensure that your company’s practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act. 
  • Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable. 

Log4Shell is the exploitable vulnerability in the widely used log4j library, discovered in December, and is still under active exploitation from cyber attackers. The volume of ongoing attack attempts has prompted great concern from the cyber security community about how impactful a successful attack could be.

Microsoft updated its blog on Log4Shell earlier this week echoing the concerns of the wider industry about the scale of attacks leveraging the vulnerability in log4j. The company said the vulnerability presents a "complex and high-risk situation for companies across the globe". 

Related Resource

Global security insights report 2021

Extended enterprise under threat

Whitepaper front coverFree download

The security flaw is so widespread in applications and services that it's difficult to understand how vulnerable any given environment actually is. Microsoft advised customers to run scripts and scanning tools to assess their exposure. 

"Exploitation attempts and testing have remained high during the last weeks of December," said Microsoft. "We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks. Organisations may not realise their environments may already be compromised.

"Microsoft recommends customers to do additional review of devices where vulnerable installations are discovered," it added. "At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments. Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance."

Featured Resources

How virtual desktop infrastructure enables digital transformation

Challenges and benefits of VDI

Free download

The Okta digital trust index

Exploring the human edge of trust

Free download

Optimising workload placement in your hybrid cloud

Deliver increased IT agility with the cloud

Free Download

Modernise endpoint protection and leave your legacy challenges behind

The risk of keeping your legacy endpoint security tools

Download now

Recommended

Senate report slams agencies for poor cyber security
cyber security

Senate report slams agencies for poor cyber security

3 Aug 2021
Most employees put their workplace at risk by taking cyber security shortcuts
cyber security

Most employees put their workplace at risk by taking cyber security shortcuts

27 Jul 2021
61% of organizations say improving security a top priority for 2021
cyber security

61% of organizations say improving security a top priority for 2021

29 Jun 2021
ProtectedBy.AI’s CodeLock blocks malware at source code level
software as a service (SaaS)

ProtectedBy.AI’s CodeLock blocks malware at source code level

9 Jun 2021

Most Popular

How to move Microsoft's Windows 11 from a hard drive to an SSD
Microsoft Windows

How to move Microsoft's Windows 11 from a hard drive to an SSD

4 Jan 2022
How to boot Windows 11 in Safe Mode
Microsoft Windows

How to boot Windows 11 in Safe Mode

6 Jan 2022
Microsoft Exchange servers break thanks to 'Y2K22' bug
email delivery

Microsoft Exchange servers break thanks to 'Y2K22' bug

4 Jan 2022