FTC warns companies to mitigate Log4j vulnerability
In a blog post about the critical Log4Shell vulnerability, the FTC mentioned 2017's Equifax breach and the legal consequences that followed.
The Federal Trade Commission warned companies that it "intends to use its full legal authority" if they don't protect consumers from the Log4Shell vulnerability and others like it.
The warning came via a blog post Tuesday on the Federal Trade Commission's website about CVE-2021-44228, a critical configuration vulnerability that impacts ubiquitous Java logging framework Log4j and enables remote code execution against the large number of organizations vulnerable to it.
According to the post, titled "FTC warns companies to remediate Log4j security vulnerability," the commission said companies using Log4j have a legal obligation to act on the threat the vulnerability poses.
"The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act," the post read. "It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action."
The commission used stronger terms to describe the potential for legal action later in the post by declaring it would "pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future."
Furthermore, the FTC's post referenced the 2017 breach against credit bureau mammoth Equifax. The breach occurred due to a critical Apache Struts vulnerability that was not patched despite an update being available, and ultimately resulted in the compromise of personal data for nearly 150 million Americans as well as millions of customers outside the United States.
According to a report from the U.S. House Committee on Oversight and Government Reform, threat actors first exploited the Apache Struts vulnerability on March 10, 2017, just three days after the Apache Software Foundation disclosed and patched the bug. The report said Equifax received an alert from the Department of Homeland Security on March 8, urging the company to mitigate the vulnerability, and that the appropriate staff members were directed on March 9 to patch all systems. Equifax's scanning showed no vulnerable systems several days later, but the company missed an internet-facing customer dispute portal that threat actors used to gain entry into credit agency's network.
Shortly after the breach, the FTC launched a 20-month investigation alongside state partners and the Consumer Financial Protection Bureau, which ultimately resulted in a 2019 settlement. As the FTC noted in its blog, "Equifax agreed to pay $700 million to settle actions by the Federal Trade Commission, the Consumer Financial Protection Bureau, and all fifty states."
The FTC did not respond to SearchSecurity's request for comment.
Alexander Culafi is a writer, journalist and podcaster based in Boston.