Recent studies indicate that nearly all cloud environments are vulnerable to Log4J attacks, yet less than half have been patched at this point. In addition to the potential damage caused by theft and business disruption, another cost is looming: legal action backed by new Federal Trade Commission (FTC) rules.
The FTC has issued a notice indicating that it may take enforcement action against businesses that fail to patch all of their instances of Log4J. While there are still relatively few high-profile breaches involving the vulnerability, there were already millions of attempts on corporate networks logged by the end of 2021.
Log4J could create heavy fines for companies
As of January 2021, nearly half of all corporations had been targeted by an attempted Log4J attack. Though there is an impressive rate of success in defending against it thus far, incidences of Log4J are everywhere and an attack that slips through company defenses could result in expensive legal action.
The FTC’s notice cited the 2017 case against Equifax as a precedent. One of the “big three” credit reporting bureaus, Equifax ended up facing legal action for losing the records of at least 147 million people to an unknown attacker. The breach stemmed from a known vulnerability that the company had failed to patch. On that basis, the FTC ended up settling with Equifax on a fine of $700 million dollars.
The Equifax case may not be the scariest possible warning in spite of the large fine amount, given that the FTC ended up allowing the company to “pay” in the form of a year of free credit monitoring for consumers (something that also had final court approval delayed until February 2022). Online privacy has become a much more serious issue since 2017, however, especially with the spate of ransomware attacks on critical infrastructure and digital service providers in 2021.
Gambling with legal action could backfire, particularly if a federal digital privacy law emerges in the near future. The prime targets of Log4J attacks are also expected to be small businesses, those with IT staff and budget issues such that scouring through code to apply patches is tough to fit into the daily schedule. Successful Log4J attacks have thus far delivered ransomware and malware wipers as well as adding compromised devices to botnets.
FTC could take legal action against laggards
Patching quite often falls down the priority list, something that is undoubtedly behind the FTC’s decision to make overtures about legal action. Log4J patching is critical, however; not only is the vulnerability extremely common, but it’s also easy for even low-skill attackers to exploit.
So what exactly does the FTC expect companies to do to steer clear of legal action? Thus far it has not laid out specific requirements, but has called for “reasonable steps” to include following the Cybersecurity and Infrastructure Security Agency’s (CISA) published guidance on Log4J. The notice also indicated that organizations could be expected to notify subsidiary companies and companies in their supply chain about possible incidences of Log4J.