FTC says it will come after firms who haven't patched Log4j flaws

A white padlock on a dark digital background.
(Image credit: Shutterstock.com)

The United States Federal Trade Commission (FTC) said it will come after companies that fail to secure their customers’ data and endpoints, by patching Log4j flaws on time.

The FTC said that such businesses are looking at a scenario similar to the Equifax 2019 settlement, where the company was forced to pay out $700 million for exposing customer data.

"The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future," the organization said. "Failure to identify and patch instances of this software may violate the FTC Act."

Destructive flaw

The FTC described the Log4j vulnerability as part of a “broader set” of structural issues, and one of “thousands” of unheralded, but critically important open-source services being used by countless companies. 

"These projects are often created and maintained by volunteers, who don't always have adequate resources and personnel for incident response and proactive maintenance even as their projects are critical to the internet economy. This overall dynamic is something the FTC will consider as we work to address the root issues that endanger user security."

Researchers discovered a major flaw in Log4j, Apache’s logging tool, with major destructive potential back in December 2021.  It’s tracked as CVE-2021-44228, and allows malicious actors to run virtually any code, including malware. The skills required to take advantage of the flaw are very low, experts have warned, urging everyone to patch Log4j as fast as they can.

Since then, Apache has issued multiple patches, as other, but less destructive flaws, were being uncovered in the meantime.

Jen Easterly, the director of the U.S. Cybersecurity and Infrastructure Security Agency (CISA) has described it as “one of the most serious” flaws she’s seen in her entire career, “if not the most serious”.

More recently, Microsoft said people are probably not aware how widespread the problem is, and warned that the number of criminals attempting to leverage the flaw remains high.

Via: ZDNet

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.