FTC threatens legal action against companies failing to patch Log4Shell

The FTC crest on a building
(Image credit: Shutterstock)

The Federal Trade Commission (FTC) has issued a warning saying it will pursue legal action against any US company found to have put consumer data at risk by not properly mitigating Log4Shell.

The FTC said in its alert that Log4Shell poses a severe risk to millions of consumer products and enterprise applications, adding that there is a significant risk of data loss in a data breach made possible through the vulnerability, tracked as CVE-2021-44228.

"The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act," said the FTC. "It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action."

Equifax's infamous data breach was referenced by the FTC in its warning to all US businesses, saying it failed to patch a known vulnerability, lost data belonging to 147 million people, and paid $700 million (£517 million) to settle the actions by the FTC and Consumer Finance Protection Bureau.

"The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future," it said.

The FTC encouraged businesses to follow guidance issued by the US Cybersecurity and Infrastructure Security Agency:

  • Update your Log4j software package to the most current version found here
  • Consult CISA guidance to mitigate this vulnerability.
  • Ensure remedial steps are taken to ensure that your company’s practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act.
  • Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable.

Log4Shell is the exploitable vulnerability in the widely used log4j library, discovered in December, and is still under active exploitation from cyber attackers. The volume of ongoing attack attempts has prompted great concern from the cyber security community about how impactful a successful attack could be.

Microsoft updated its blog on Log4Shell earlier this week echoing the concerns of the wider industry about the scale of attacks leveraging the vulnerability in log4j. The company said the vulnerability presents a "complex and high-risk situation for companies across the globe".


Global security insights report 2021

Extended enterprise under threat


The security flaw is so widespread in applications and services that it's difficult to understand how vulnerable any given environment actually is. Microsoft advised customers to run scripts and scanning tools to assess their exposure.

"Exploitation attempts and testing have remained high during the last weeks of December," said Microsoft. "We have observed many existing attackers adding exploits of these vulnerabilities in their existing malware kits and tactics, from coin miners to hands-on-keyboard attacks. Organisations may not realise their environments may already be compromised.

"Microsoft recommends customers to do additional review of devices where vulnerable installations are discovered," it added. "At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments. Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance."

Connor Jones
News and Analysis Editor

Connor Jones has been at the forefront of global cyber security news coverage for the past few years, breaking developments on major stories such as LockBit’s ransomware attack on Royal Mail International, and many others. He has also made sporadic appearances on the ITPro Podcast discussing topics from home desk setups all the way to hacking systems using prosthetic limbs. He has a master’s degree in Magazine Journalism from the University of Sheffield, and has previously written for the likes of Red Bull Esports and UNILAD tech during his career that started in 2015.