IT Pro is supported by its audience. When you purchase through links on our site, we may earn an affiliate commission. Learn more

FTC threatens legal action against companies failing to patch Log4Shell

The agency appears to be cracking down on the widespread security flaw as attack attempts remained high over the holiday period

The Federal Trade Commission (FTC) has issued a warning saying it will pursue legal action against any US company found to have put consumer data at risk by not properly mitigating Log4Shell.

The FTC said in its alert that Log4Shell poses a severe risk to millions of consumer products and enterprise applications, adding that there is a significant risk of data loss in a data breach made possible through the vulnerability, tracked as CVE-2021-44228.

"The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act," said the FTC. "It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action."

Equifax's infamous data breach was referenced by the FTC in its warning to all US businesses, saying it failed to patch a known vulnerability, lost data belonging to 147 million people, and paid $700 million (£517 million) to settle the actions by the FTC and Consumer Finance Protection Bureau. 

"The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future," it said.

The FTC encouraged businesses to follow guidance issued by the US Cybersecurity and Infrastructure Security Agency:

  • Update your Log4j software package to the most current version found here
  • Consult CISA guidance to mitigate this vulnerability.   
  • Ensure remedial steps are taken to ensure that your company’s practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act. 
  • Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable. 

Log4Shell is the exploitable vulnerability in the widely used log4j library, discovered in December, and is still under active exploitation from cyber attackers. The volume of ongoing attack attempts has prompted great concern from the cyber security community about how impactful a successful attack could be.

Microsoft updated its blog on Log4Shell earlier this week echoing the concerns of the wider industry about the scale of attacks leveraging the vulnerability in log4j. The company said the vulnerability presents a "complex and high-risk situation for companies across the globe". 

Related Resource

Global security insights report 2021

Extended enterprise under threat

Whitepaper front coverFree download

The security flaw is so widespread in applications and services that it's difficult to understand how vulnerable any given environment actually is. Microsoft advised customers to run scripts and scanning tools to assess their exposure. 

"Exploitation attempts and testing have remained high during the last weeks of December," said Microsoft. "We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks. Organisations may not realise their environments may already be compromised.

"Microsoft recommends customers to do additional review of devices where vulnerable installations are discovered," it added. "At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments. Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance."

Featured Resources

Defending against malware attacks starts here

The ultimate guide to building your malware defence strategy

Free Download

Datto SMB cyber security for MSPs report

A world of opportunity for MSPs

Free Download

The essential guide to preventing ransomware attacks

Vital tips and guidelines to protect your business using ZTNA and SSE

Free Download

Medium businesses: Fuelling the UK’s economic engine

A Connected Thinking report

Free Download

Most Popular

Getting the best value from your remote support software
Advertisement Feature

Getting the best value from your remote support software

13 Mar 2023
What the UK can learn from the rest of the world when it comes to the shift to IP

What the UK can learn from the rest of the world when it comes to the shift to IP

20 Mar 2023
Why the floppy disk may never die
Server & storage

Why the floppy disk may never die

27 Mar 2023