The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Log4j incident (March 2022)

In December 2021, a vulnerability was found in Log4j. This is a popular open-source logging tool developed by the Apache Foundation and used in lots of software; from web applications to email clients.

NCSC have developed advice and guidance to ensure organisations who may be using affected software can protect their systems.

ICO advice for data controllers and processors

In order to protect personal data from malicious attacks, which may aim to extract, delete or edit personal data, data controllers and processors should:

  1. Update Log4j to the latest version (currently 2.17.1) as soon as possible.
  2. Regularly check and update your third-party software packages, ensuring any updates relevant to log4j are applied as soon as possible.
  3. Consider if the vulnerability is likely to pose a risk to personal data and cause detriment to individuals, particularly, when updates are not currently available. If it is likely to pose a risk, then there are steps that your organisation can take to mitigate the vulnerabilities prior to a third party providing an update.

If a vulnerable Log4j version is found to exist on your organisation’s network, we strongly recommend conducting an additional investigation to detect if there has been any malicious activity.

As a matter of good data protection practice, we advise regular vulnerability scans and maintaining a knowledge of vulnerabilities present within your organisation’s systems and applications. This can help speed up mitigation of these types of vulnerability. Our Accountability Framework outlines some of the steps you can take to assess your systems and applications.