FTC orders GoDaddy to strengthen security practices after years of data breaches – News

The U.S. Federal Trade Commission has ordered well-known web hosting provider GoDaddy Inc. to implement a robust information security program to settle charges that the company failed to secure its website-hosting service against attacks that could harm its customers.

In a complaint filed Wednesday, the FTC alleged that since 2018, GoDaddy has failed to implement reasonable and appropriate security measures to protect and monitor its website-hosting environments for security threats and misled customers about the extent of its data security protections on its website hosting services.

Some of GoDaddy’s more dubious moments in security, or more specifically lack thereof, include 28,000 web hosting accounts exposed in May 2020 and the data of 1.2 million customers being stolen in November 2021.

The May 2020 incident involved an unknown person accessing accounts using Secure Shell or SSH cryptographic network protocol in October 2019, with GoDaddy taking seven months to detect the breach. The 2021 theft of customer account details involved an “unauthorized third party” using a vulnerability to gain access to customer information.

Another instance of GoDaddy and concerning security practices occurred in 2018 when company data was found exposed in an Amazon Web Services Inc. S3 bucket. However, in that case, an AWS employee was accused of misconfiguring the bucket, though GoDaddy had no processes in place to double-check the security of its publicly hosted data.

When security incidents keep recurring, they naturally attract the attention of authorities and what was found was not a good state of affairs. According to the FTC, GoDaddy’s unreasonable security practices include failing to inventory and manage assets and software updates, assess risks to its shared hosting services, adequately log and monitor security-related events in the hosting environment, and segment its shared hosting from less secure environments.

In addition, the FTC alleged that GoDaddy misled customers through claims on its websites and in email and social media ads by representing that it deployed reasonable security and that it was in compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, which require companies to take reasonable and appropriate measures to protect personal information.

The FTC’s order will prohibit GoDaddy from misleading customers about its security practices and require the company to implement robust security measures moving forward. Specifically, the order bars GoDaddy from making false claims about its compliance with privacy or security standards, including the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, which mandate reasonable protections for personal information.

Additionally, the order mandates that GoDaddy establish a comprehensive information-security program to safeguard the security, confidentiality and integrity of its web site hosting services. The company must also hire an independent third-party assessor to conduct an initial review and biennial evaluation of its security program to ensure compliance and accountability.

“Millions of companies, particularly small businesses, rely on web hosting providers like GoDaddy to secure the websites that they and their customers rely on,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement. “The FTC is acting today to ensure that companies like GoDaddy bolster their security systems to protect consumers around the globe.”

Dr. Ilia Kolochenko, chief executive of application security company ImmuniWeb SA and an adjunct professor of cybersecurity at Capitol Technology University in Maryland, told News via email that the “settlement is excellent news for GoDaddy customers, sending another crystal-clear message to web hosting companies about data security requirements.”

Image: News/Ideogram