FTC Slams GoDaddy For Not Implement Standard Security Practices Following Major Breaches

The Federal Trade Commission (FTC) has announced that it will require GoDaddy Inc. to develop and implement a comprehensive information security program.

This decision comes in response to allegations that the prominent web hosting company has consistently failed to adequately secure its services, risking the safety of millions of customers who rely on its platform.

Charges Against GoDaddy

According to the FTC’s complaint, GoDaddy has neglected to put in place reasonable and appropriate security measures since 2018, exposing its customers and their website visitors to various security threats.

The Commission highlighted that GoDaddy misled its customers about the extent of its data security protections. A staggering five million businesses utilize GoDaddy’s web hosting capabilities, underscoring the potential impact of these security failures.

Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free

Samuel Levine, the Director of the FTC’s Bureau of Consumer Protection, remarked, “Millions of companies, particularly small businesses, rely on web hosting providers like GoDaddy to secure the websites that they and their customers rely on.

The FTC is acting today to ensure that companies like GoDaddy bolster their security systems to protect consumers around the globe.”

Security Failures and Breaches

The FTC’s complaint outlines several critical shortcomings in GoDaddy’s security practices.

These include inadequate asset and software management, failure to assess risks to its shared hosting services, insufficient logging and monitoring of security-related events, and a lack of segmentation between shared hosting environments and less secure areas.

As a result, between 2019 and 2022, GoDaddy experienced multiple significant security breaches that allowed unauthorized access to customer websites and sensitive data.

These breaches not only jeopardized customer data but also exposed website visitors to potential threats, including redirection to malicious sites.

The FTC’s findings assert that GoDaddy misrepresented its security measures through claims made on its website and in marketing communications, stating that it complied with various privacy regulations, including the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.

To address these concerns, the FTC has proposed a settlement that obligates GoDaddy to adopt a robust data security program, similar to requirements imposed in recent cases against other companies like Marriott International. The proposed order includes several key directives:

• Prohibition on Misleading Claims: GoDaddy will be barred from making false statements about its security practices and compliance with government or self-regulatory standards.
• Implementation of Security Measures: The company must establish an information security program aimed at protecting the confidentiality, integrity, and security of its web hosting services.
• Third-Party Assessment: GoDaddy is required to engage an independent evaluator to conduct an initial review and subsequent biennial assessments of its security program.

The FTC has voted unanimously to impose these requirements, with a public comment period set to follow the publication of the proposed consent agreement in the Federal Register.

Stakeholders will have 30 days to provide input, after which the Commission will consider finalizing the order. Violations of the order could lead to civil penalties of up to $51,744.

As the FTC continues to promote competition and protect consumer interests, the action against GoDaddy serves as a critical reminder of the importance of robust cybersecurity practices in safeguarding digital environments and consumer data.

The Commission emphasizes that it remains committed to holding companies accountable for their data protection efforts while educating consumers about potential risks and fraud. 

Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar