FTC warns of potential penalties for firms that fail to fix Log4j software flaws

The agency says the warning applies to future vulnerabilities too.
Computer with alert on it.

The Federal Trade Commission Tuesday warned companies that if they fail to take action to remedy a major recent software vulnerability in open-source software tool Log4j, there could be legal repercussions.

“When vulnerabilities are discovered and exploited, it risks a loss or breach of personal information, financial loss, and other irreversible harms,” the agency warned. “It is critical that companies and their vendors relying on Log4j act now, in order to reduce the likelihood of harm to consumers, and to avoid FTC legal action.”

Log4j is ubiquitous in software used throughout the technology industry, and is found in products built by companies including Amazon, Google and Microsoft. The widespread use of such technology has made it difficult to identify potential victims. At the same time, the popularity has made it an easy target for a range of cybercriminals to exploit.

The warning shot from the top consumer protection agency comes as lawmakers debate the specifics of a federal law overseeing requirements for companies that suffer a breach.


The FTC has in the past applied its oversight authority to such consumer concerns.

Tuesday’s notice cites Equifax’s $700 million settlement with the agency in 2019 as a cautionary tale. The FTC’s complaint alleged that Equifax’s failure to patch a known flaw led to the exposure of the personal information of 147 million customers. Such breaches have continued in the years since: Morgan Stanley on Monday reached a $60 million settlement with customers who accused the bank of exposing their personal data with outdated IT.

The FTC plans to apply its legal authority to protect consumers in the cases of “similar known vulnerabilities in the future,” the notice adds.

The agency pointed companies to guidance from the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency, which has issued a series of alerts and advisories on how to patch. CISA set a deadline of Dec. 23 for civilian federal agencies to patch the vulnerability. A CISA spokesperson confirmed Tuesday that the agency “received status reports from all large agencies, which have either patched or deployed alternate mitigations to address the risk,” but did not clarify which non-“large” agencies had not met the deadline.

The debacle with Log4j has highlighted a systemic deficit of resources to keep the open-source projects critical to the internet safe, as MIT Technology Review reported. The FTC indicated it was interested in at looking such concerns “as we work to address the root issues that endanger user security.”


Tim Starks contributed reporting to this story.

Tonya Riley

Written by Tonya Riley

Tonya Riley covers privacy, surveillance and cryptocurrency for CyberScoop News. She previously wrote the Cybersecurity 202 newsletter for The Washington Post and before that worked as a fellow at Mother Jones magazine. Her work has appeared in Wired, CNBC, Esquire and other outlets. She received a BA in history from Brown University. You can reach Tonya with sensitive tips on Signal at 202-643-0931. PR pitches to Signal will be ignored and should be sent via email.

Latest Podcasts