The Federal Trade Commission (FTC) has taken significant action against GoDaddy, one of the world’s largest web hosting companies, for failing to implement adequate security measures to protect its customers’ data.
The FTC alleges that GoDaddy’s “unreasonable security practices” led to several major breaches between 2019 and 2022, exposing sensitive customer information and putting millions of businesses and consumers at risk.
According to the FTC, GoDaddy failed to adopt basic cybersecurity practices necessary to safeguard its hosting services. The company allegedly neglected critical measures such as:
- Conducting regular software updates and patch management.
- Implementing multi-factor authentication (MFA) for administrative access.
- Logging and monitoring security-related events.
- Segmenting its network to prevent lateral movement by attackers.
- Securing connections to sensitive systems, such as APIs.
The FTC also accused GoDaddy of misleading customers through marketing claims that it provided robust security.
Despite assurances of “24/7 network security” and adherence to international privacy frameworks like the EU-U.S. Privacy Shield, the FTC found these claims to be false or misleading.
Investigate Real-World Malicious Links & Phishing Attacks With Threat Intelligence Lookup - Try for Free
Impact Of Security Failures
GoDaddy’s lapses in cybersecurity resulted in multiple breaches that compromised customer websites and data. Notable incidents include:
1. 2019-2020 Breach: Attackers exploited vulnerabilities in GoDaddy’s hosting environment, gaining unauthorized access for over six months. They replaced application files with malicious versions, compromising login credentials for approximately 28,000 customers and 199 employees.
2. 2021 WordPress Breach: Hackers accessed an insecure API, exposing sensitive data from 1.2 million customers, including email addresses, private encryption keys, and database credentials.
3. 2022 Recurrence: A threat actor exploited leftover vulnerabilities from earlier breaches, redirecting visitors of customer websites to malicious sites.
These incidents not only harmed businesses relying on GoDaddy’s services but also endangered consumers visiting affected websites. Victims faced risks such as identity theft, financial fraud, and exposure to malware.
FTC’s Actions And Settlement
In response to these failures, the FTC has mandated that GoDaddy overhaul its cybersecurity practices under a proposed settlement agreement. Key requirements include:
- Establishing a comprehensive information-security program.
- Implementing MFA across all administrative accounts.
- Conducting regular third-party assessments of its security measures.
- Ensuring secure connections for all API communications.
The settlement prohibits GoDaddy from making false claims about its security practices in the future. While the company did not admit wrongdoing or face monetary penalties, non-compliance with the order could result in fines of up to $51,744 per violation.
GoDaddy stated that it has already implemented many of the FTC’s recommended measures and remains committed to improving its cybersecurity defenses.
“We are focused on protecting our customers’ data and websites,” a company spokesperson said. “We continue to invest in technologies, tools, and expertise to enhance system and information security.”
The company emphasized that it expects minimal financial impact from complying with the settlement terms.
Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, highlighted the importance of this case: “Millions of small businesses rely on hosting providers like GoDaddy to secure their websites.
The FTC is acting to ensure companies strengthen their security frameworks to protect consumers worldwide.”
This action underscores the FTC’s commitment to holding companies accountable for cybersecurity failures that put consumers at risk.
Similar enforcement actions have been taken against other major firms like Marriott International for comparable lapses in data protection.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar