The Information Commissioner’s Office has issued an important notice for businesses in the wake of the discovery of the Log4j vulnerability.
Log4j vulnerability identified
Log4j a popular open-source logging tool used in a range of software and online services.
Towards the end of last year, a vulnerability was found in Log4j which was labelled as “potentially one of the most severe computer vulnerabilities in years” by the National Cyber Security Centre.
If left without vital fixes being implemented, it exposes the online service to malicious attacks where personal data can be extracted, deleted or edited.
What to do if you use Log4j
Data Controllers and Processors must urgently:
- Check your systems for the use of Log4j and update to the latest version – ask your web developer or IT support team if you are unsure.
- Check the lists of vulnerable software available online. Many large providers have identified themselves as being affected and issued statements about the mitigating steps taken.
- If necessary, contact your third-party software vendors to check if their products have been affected by the vulnerability and confirm that updates have been applied.
- Implement technical mitigating actions such as firewall rules.
- Check you policies and procedures on incident response.
- Check for scanning activity and exploitation.
- Report incident is legally required to do so.
- Sign up for the NCSC’s Early Warning.
Information Commissioner’s Office recommendation
In the context of personal data, the Information Commissioner’s Office further recommends:
“Consider if the vulnerability is likely to pose a risk to personal data and cause detriment to individuals, particularly, when updates are not currently available. If it is likely to pose a risk, then there are steps that your organisation can take to mitigate the vulnerabilities prior to a third party providing an update.
If a vulnerable Log4j version is found to exist on your organisation’s network, we strongly recommend conducting an additional investigation to detect if there has been any malicious activity”.
This alert raises the importance of ongoing data protection audits and checks, including vulnerability testing. The Information Commissioner’s Accountability Framework outlines some of the steps you can take to assess your systems and applications.