U.S. FTC Warns Companies to Patch Log4j Security Vulnerability

Companies must protect personal data from Log4j attacks, or risk paying millions of dollars. The Federal Trade Commission (FTC) in the United States has issued a warning about it. According to the FTC, organizations have a duty to take reasonable steps to fix the Log4j vulnerability.

Log4j is a widely used piece of software to record activities in a variety of consumer-facing goods and services. A significant vulnerability in Log4j (CVE-2021-44228), a prominent Java logging package, was recently revealed, posing a substantial danger to millions of consumer devices, business software, and online services. This vulnerability is being widely exploited by a growing number of attackers.

When vulnerabilities are found and exploited, there is a danger of personal information being lost or breached, financial loss, and other irreversible consequences, stated FTC. The need to take reasonable precautions to mitigate known software vulnerabilities is governed by legislation such as the Federal Trade Commission Act and the Gramm Leach Bliley Act, among others. Companies and their vendors who rely on Log4j must act quickly to decrease the risk of consumer harm and prevent FTC legal action.

$700M to Settle Data Breach Lawsuit

According to the Equifax lawsuit, a failure to fix a known vulnerability exposed the personal information of 147 million people in an irreversible way. Equifax agreed to pay $700 million to the Federal Trade Commission, the Consumer Financial Protection Bureau, and all fifty states as part of a settlement agreement. The FTC plans to prosecute organizations who fail to take reasonable precautions to safeguard customer data from disclosure as a result of Log4j, or similar known vulnerabilities in the future, using its full legal jurisdiction.

Companies can consult the Cybersecurity and Infrastructure Security Agency (CISA) advise here to see whether they’re using the Log4j software library.