
GoDaddy, a major website hosting provider, failed to secure its website hosting services for years, the Federal Trade Commission (FTC) alleged in a complaint. The company settled to implement a 'robust information security program' and will not face any monetary penalties.
According to the FTC, GoDaddy hosts websites for approximately five million customers. The company used to advertise its services as “Ridiculously fast. Seriously secure.”
However, the problem was that GoDaddy didn’t inventory its assets, manage software updates, use multifactor authentication, or appropriately monitor for security threats. All the unreasonable security practices were listed in the FTC’s complaint.
The breaches allegedly resulted in several major security breaches between 2019 and 2022 in which hackers gained unauthorized access to customers’ websites and data.
All the company gets for the ‘alleged lax data security’ is a reprimand. According to the FTC's proposed settlement order, GoDaddy will be prohibited from making misrepresentations about its security and compliance.
The order also requires GoDaddy to establish and implement a comprehensive information security program that protects the security, confidentiality, and integrity of its website-hosting services. Additionally, GoDaddy must hire an independent auditor for initial and biennial reviews of its information security program.
Key components in the agreed security programs include responsible personnel, employing an SIEM (security incident and event manager) tool or equivalent program, system audit log and record-keeping, at least one multi-factor authentication (MFA) method, encryption, secure remote access, and authentication, among other basic cybersecurity measures.
The FTC noted that an issued consent order carries the force of law, and failure to implement the actions may result in a civil penalty of up to $51,744.
According to the FTC’s original complaint, as of September 2020, GoDaddy only had visibility into approximately 15,000 devices out of the approximately 450,000 it ultimately identified. The company had inconsistent patch management and no centralized system to ensure critical updates were applied.
GoDaddy also delayed implementing essential security tools like multi-factor authentication (MFA), endpoint detection, and file integrity monitoring, exposing customers to unnecessary risks. Weak authentication methods, poor API security, and insufficient network segmentation contributed to major vulnerabilities.
Users are advised to ‘ask questions’
The FTC also released an advisory for users to “ask your web host some questions.”
“The harm the FTC says GoDaddy caused is hard to avoid because people had no way of knowing GoDaddy wasn’t doing its part to keep their data safe,” the FTC writes.
The watchdog suggests a few key questions to ask hosting providers about their data security practices, such as:
- What security practices and technologies will you use to keep my website secure?
- Where do you store my site’s data?
- Are there multifactor authentication (MFA) options available I can use so other people can’t access or change my website with only a username and password?
- Who do I contact if I notice suspicious activity?
“Your website is one of your business’s most important sales and marketing tools. It’s your brand in a nutshell, your virtual storefront, and a repository for data – yours and your customers. So, when you go looking for a web host – the company that’ll store your site on its servers – security is non-negotiable,” FTC said.
GoDaddy’s spokesperson told The Register that the company is constantly improving its security capabilities and has already implemented several of the requirements. The company did not admit or deny any of the allegations and expects minimal financial impact.
Your email address will not be published. Required fields are markedmarked