GoDaddy has ordered the FTC to tighten its security practices
- FTC formally complains about GoDaddy’s security claims
- “Major compromises” between 2019 and 2022 are cause for concern
- GoDaddy has settled with the FTC for better security
A new complaint from the Federal Trade Commission has accused GoDaddy of misleading customers and failing to adequately protect its web hosting services.
The notice serves as a final warning to the company, which has been told to address security issues dating back to 2018, but GoDaddy will not face any immediate consequences.
The list of mistakes allegedly made by the company has now been highlighted by the FTC in an official complaintincluding violations of the FTC Act.
GoDaddy receives notice from the FTC
The lengthy list accuses GoDaddy of failing to: “(a) inventory and manage assets; (b) manage software updates; (c) assessing the risks to the hosting services of its websites; (d) use multi-factor authentication; (e) record security-related events; (f) monitoring for security threats, including by not using software that can actively detect threats from the many log files and by not using file integrity monitoring; (g) segment its network; and (h) secure connections to services that provide access to consumer data.”
In the complaint, the FTC highlights several “major compromises” between 2019 and December 2022 in which threat actors obtained sensitive customer information. These include attacks in October 2019, March 2020, April 2020 and November 2021.
Redirects to malicious sites, data harvesting, mailer script infections, database attacks, user authentication vulnerabilities, outdated plugins and code, and DDoS attacks were all highlighted as possible implications of poor security in the FTC complaint.
As a result, GoDaddy has agreed to a settlement which prohibits making false or misleading security claims. It must also implement an information security program, conduct regular third-party compliance reviews, and promptly report security incidents to the FTC.
GoDaddy sent us the following statement:
“GoDaddy has a long history of offering innovative products to our web hosting customers. We are focused on protecting our customers’ data and websites, and we invest significant resources in technologies, tools and talent to help protect systems and information. We are continuously improving our security capabilities and have already implemented some of the requirements in the settlement agreement with the FTC.
“Notably, the resolution of this case includes no admission of guilt and no monetary penalties. We expect minimal financial impacts associated with complying with the terms of the agreement with the FTC. We plan to continue investing in our defenses to address the evolving threats and help keep our customers, their websites and their data safe.”