The Federal Trade Commission is telling companies they are now forewarned about a serious online threat to their data, and that of consumers, and it will use its "full legal authority to pursue those who do not patch the vulnerability."
That came un a warning about the open source Log4j (Java logging package) software that is used to log activity for a host of consumer-facing online products and services, it said.
It says a growing number of attackers is trying to exploit the vulnerability to steal personal and financial information that could cause "irreversible harms."
FTC said that companies that don't take reasonable steps to mitigate known vulnerabilities potentially run afoul of the Federal Trade Commission Act and the Gramm Leach Bliley Act.
The FTC advises companies to check if they use Lof4j going to the Cybersecurity and Infrastructure Security Agency (CISA) guidance. CISA said it is used in "very broadly used in a variety of consumer and enterprise services, websites, and applications—as well as in operational technology products—to log security and performance information."
If they do use it, the FTC says do the following:
1. "Update your Log4j software package to the most current version found here. (Link is external) .
2. Consult CISA guidance to mitigate this vulnerability.
3. Ensure remedial steps are taken to ensure that your company’s practices do not violate the law. Failure to identify and patch instances of this software may violate the FTC Act.
4. Distribute this information to any relevant third-party subsidiaries that sell products or services to consumers who may be vulnerable." ■
