News

Legal Actions for Some Companies Over Log4j Data Breaches

• By Kurt Mackie
• January 04, 2022

Companies that disclose customer information because they failed to address an exploited vulnerability in a Log4j software component may be facing some legal hot water from the  U.S. Federal Trade Commission (FTC).

Log4j is a Java logging framework that's widely used by organizations in Apache Web servers. It's subject to simple remote attacks by just sending a text string to a server. These attacks are dubbed "Log4Shell," and they leverage common vulnerability and exposure in Log4j known as "CVE-2021-44228." 

A general public alarm about widespread  ngoing Log4Shell attacks was raised in mid-December.

Security researchers at CrowdStrike have been seeing Log4Shell exploits being used to deliver malware payloads such as cryptominers and backdoors, with suspected nation-state actors also entering the fray.

FTC Threatens To Sue
The FTC's announcement, though, solely focused on the disclosure of consumer information as a problem it'll oversee.

The FTC may prosecute such data breaches if the Log4j vulnerability was used. Here's how the FTC couched its warning to companies:

When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms. The duty to take reasonable steps to mitigate known software vulnerabilities implicates laws including, among others, the Federal Trade Commission Act and the Gramm Leach Bliley Act. It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.

In that context, the FTC mentioned the Equifax exposure of consumer credit information, where the credit bureau company agreed to pay "$700 million" after the exposure of 147 million records. That settlement was deemed to be the largest of its kind at the time, per a 2019 Reuters story, but still deemed inadequate by its critics. Consumers had to document their costs due to the breach and file claims to get compensated.

It's not clear if the $700 million was actually paid by Equifax, or if it was just a floating estimate, depending on filed claims. In some cases, Equifax just offered free credit reports to the victims, but most people didn't volunteer their credit information to Equifax in the first place. The FTC, which could regulate such companies, noted in its Equifax settlement description that "you cannot opt out of this data collection" by companies like Equifax. Given such conditions, similar data breaches are likely to happen again.

Follow CISA Guidelines
The FTC directed companies to follow the Log4j guidance published by the U.S. Cybersecurity and Infrastructure Security Agency (CISA). It recommends conducting discovery of Log4j Java library use, detecting indicators of compromise, monitoring for odd Internet traffic patterns and updating the Log4j software.

Advice from CISA on conducting scans for the Log4j vulnerability can be found at this GitHub page.

Attackers that successfully leverage the Log4j vulnerability can "steal information, launch ransomware, or conduct other malicious activity," CISA noted.

In a Dec. 28 update to its guidance, CISA noted that organizations should upgrade to the latest Log4j release, which varies based on which version of Java is used. Here's that description:

(Updated December 28, 2021) Organizations are urged to upgrade to Log4j 2.17.1 (Java 8), 2.12.4 (Java 7) and 2.3.2 (Java 6), and review and monitor the  Apache Log4j Security Vulnerabilities webpage for updates and mitigation guidance.

The Apache Software Foundation's earlier release of Log4j version 2.15.0 was an intended fix for the vulnerability, but it was deemed inadequate, as noted at the foundation's Log4j security page:

While Log4j 2.15.0 makes a best-effort attempt to restrict JNDI LDAP lookups to localhost by default, there are ways to bypass this and users should not rely on this.

Log4j is "a ubiquitous piece of software," the FTC noted. Many organizations likely are affected. CISA has compiled a list of the affected software using Log4j, which can be accessed via a link at the end of this GitHub page.