The Federal Trade Commission (FTC) is warning US organizations they may face legal penalties if they don't take steps to protect consumer information from exposure via the Lo4j vulnerability.
In a Jan. 4 release, FTC officials said the serious vulnerability in the Java logging package posed a "severe risk" to consumer products, enterprise software, and Web applications, and it's being exploited by a growing number of cyberattackers. When flaws like Log4j are exploited, it risks the compromise of personal data, financial loss, and other damages.
"It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action," officials wrote.
They cited the complaint following the Equifax breach, which stemmed from failure to patch a known vulnerability and led to the exposure of 147 million consumers' personal information. As a result, Equifax agreed to pay $700 million to settle actions by the FTC, Consumer Financial Protection Bureau, and all 50 states, officials noted.
"The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future," they said.
In response to this week's news, Tenable CEO Amit Yoran said, "About time. Hallelujah!" The FTC's warning of potential legal repercussions is "long overdue," he added, given the threat that Log4j presents to the data so many companies collect on individuals. Disregarding the steps to proactively address it is "the definition of negligence," he said.
Read the full FTC alert for more details.