Log4 Vulnerability

Log4 vulnerability: What you need to know

Cyber threats are becoming ever-more advanced and some fraudsters think charities are a soft target. So it’s imperative to stay up-to-date on the latest risks to keep your organisation’s systems and processes secure.

With this in mind, charities should be aware of a critical cyber security vulnerability, discovered within the tool Log4j in December 2021, that could leave organisations open to malicious attacks.

This flaw has the potential to impact the operations of all organisations, regardless of size or scale of resources. Charities should follow cyber security best practice to mitigate their exposure to this vulnerability.

• Keep any ‘off the shelf’ software and anti-virus services up-to-date
• Take direct action if you host your own website or bespoke software applications

What is the vulnerability within Log4j?

Log4shell is a vulnerability discovered within a tool called Log4j, which is used worldwide across many software applications and online services. If left unfixed, this flaw could allow hackers to steal data from an organisation’s systems or infect them with malicious software.

This security flaw poses a number of risks to charities:

• Potential loss of revenue due to malfunctioning systems
• Cost of containing and fixing systems breaches
• Loss of data, including personal and financial details of donors and beneficiaries

A breach would also have a knock-on effect on a charity’s reputation and the general public’s trust in the organisation’s competency.

How to protect your organisation

It may not be clear if your web servers, web applications, network devices, other software and hardware use Log4j. So it’s critical to take immediate steps to detect where Log4j is being used by your software vendors and other third party suppliers and take the necessary precautions.  

The UK's cyber security agency, NCSC, has issued advice to enable organisations to identify any exposure to this vulnerability and understand the required action to fix the flaw.

This advice includes to:

• Check your systems for the use of Log4j. If you are using it in applications developed in-house, update to the latest version of Log4j (currently Log4j 2.17.0)
• Update third party applications. Products may release updates to fix bugs or vulnerabilities in the coming weeks, so be sure to check for updates regularly
• Contact your third party suppliers. Get in touch to find out if your suppliers are affected. This includes anybody storing or processing your data or accessing your systems, to ensure they have reviewed and mitigated their Log4Shell exposure

If you need assistance with understanding your organisation’s exposure, contact an IT or security professional to help guide you through it.

Have CAF and CAF Bank services been affected?

We were alerted to the discovery of the vulnerability within Log4j on 10 December 2021 through our threat monitoring service. Since then, we have carried out an extensive review of CAF and CAF Bank operational systems and online services, none of which have been impacted.

Keeping customers’ data and accounts safe and secure is our highest priority. To that end, we continue to monitor potential vulnerabilities and threats such as this, to minimise the risk of our services being impacted by them.

Reporting attempted fraud

CAF's security centre provides more tips about how to protect yourself and your accounts from fraud.

If you suspect your organisation’s bank accounts have been exposed to fraud or cyber attack, please call our customer service team on 03000 123 456 or email scamreporting@cafonline.org.

If you believe your organisation has become a victim of fraud of any kind, please report it to the Report Fraud helpline.