FTC Eyes Penalties for Companies That Fail to Remediate Log4j Vulnerability
According to the FTC, technology companies and their vendors should take all necessary steps to mitigate the damage from Log4Shell and avoid potential harm to consumers. The agency pointed out that damages can be in the form of personal information breaches, financial losses and other forms of irreversible damage. The warning comes as lawmakers sort out the specifics for a federal law overseeing requirements for companies that suffer a cyber breach, CyberScoop reported Tuesday.
The FTC cited Equifax’s $700 million settlement as an example. In this instance, Equifax failed to patch a known flaw in 2019 that led to the exposure of the personal information of around 148 million customers. The trade organization said it will apply its legal authority to protect consumers against known cyber gaps.
The FTC also urged companies to follow guidance issued by the Cybersecurity and Infrastructure Security Agency in dealing with the Log4j compromise. According to a CISA spokesperson, all large federal agencies were able to execute remediations to address the issue. The cybersecurity agency set a deadline of Dec. 23 for civilian federal agencies to patch their systems.
Log4j is used in various software throughout the technology industry and is found in offerings from Amazon, Microsoft and other tech companies. Tracking down potentially compromised systems has been difficult due to the widespread use of the software component. Its popularity also makes it a prime target for cybercriminals to exploit.
Apache Software Foundation disclosed the Log4Shell compromise on Dec. 9, and CISA made it a top-priority vulnerability on Dec. 17. According to Microsoft, it could take years to fully remediate the issue due to the widespread use of Log4j.
Tags: Apache Software Foundation CyberScoop cybersecurity Equifax Federal Trade Commission Log4j Log4Shell penalty software vulnerability remediation