FTC to pursue companies that expose customer data due to not patching Log4j

The United States Federal Trade Commission has issued a warning that it will chase companies that do not remedy the vulnerability in the Java logging package Log4j.

"The FTC intends to use its full legal authority to pursue companies that fail to take reasonable steps to protect consumer data from exposure as a result of Log4j, or similar known vulnerabilities in the future," the agency said on Tuesday.

"Failure to identify and patch instances of this software may violate the FTC Act."

The agency cited its $700 million settlement with Equifax in 2019 as an example of what could happen if customer data is exposed.

"The Log4j vulnerability is part of a broader set of structural issues. It is one of thousands of unheralded but critically important open-source services that are used across a near-innumerable variety of internet companies," the FTC said. 

"These projects are often created and maintained by volunteers, who don't always have adequate resources and personnel for incident response and proactive maintenance even as their projects are critical to the internet economy.

"This overall dynamic is something the FTC will consider as we work to address the root issues that endanger user security."

Earlier on Tuesday, Microsoft said people might not be aware of how widespread the Log4Shell issue is in their environments, and warned that attempts to exploit it remained high to the end of 2021.

"At this juncture, customers should assume broad availability of exploit code and scanning capabilities to be a real and present danger to their environments," the software giant said.

"Due to the many software and services that are impacted and given the pace of updates, this is expected to have a long tail for remediation, requiring ongoing, sustainable vigilance."

Cloudflare warned last month it had detected activity related to the remote code exploit as early as December 1, which meant the vulnerability was in the wild for at least nine days before it was publicly disclosed.