Consent agreement will require GoDaddy to improve security practices and not mislead customers.
The Federal Trade Commission is admonishing GoDaddy (NYSE: GDDY) for lax security practices in its hosting business.
In a complaint (pdf), the FTC said that GoDaddy “has marketed itself as a secure choice for customers to host their websites, touting its commitment to data security and careful threat monitoring practices in multiple locations, including its main website for hosting services, its “Trust Center,” and in email and online marketing.”
However, the FTC said that GoDaddy’s security fell far short of its promises.
In fact, GoDaddy’s data security program was unreasonable for a company of its size and complexity. Despite its representations, GoDaddy was blind to vulnerabilities and threats in its hosting environment. Since 2018, GoDaddy has violated Section 5 of the FTC Act by failing to implement standard security tools and practices to protect the environment where it hosts customers’ websites and data, and to monitor it for security threats. In particular, GoDaddy failed to: (a) inventory and manage assets; (b) manage software updates; (c) assess risks to its website hosting services; (d) use multi-factor authentication; (e) log security-related events; (f) monitor for security threats, including by failing to use software that could actively detect threats from its many logs, and failing to use file integrity monitoring; (g) segment its network; and (h) secure connections to services that provide access to consumer data. These failures made GoDaddy’s representations about security false or misleading.
The FTC cites breaches that occurred between 2019 and 2022.
GoDaddy intends to submit to a consent agreement with the FTC that will:
- Prohibit GoDaddy from making misrepresentations about its security and the extent to which it complies with any privacy or security program sponsored by a government, self-regulatory, or standard-setting organization, including the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks;
- Require GoDaddy to establish and implement a comprehensive information-security program that protects the security, confidentiality, and integrity of its website-hosting services; and
- Mandate that GoDaddy hire an independent third-party assessor who conducts an initial and biennial review of its information-security program.
Ultimately, this is beneficial for domain owners as well, enhancing security across the board. They’ve already implemented two-factor authentication (2FA) through an app, which is a positive step.
In my experience recovering stolen domains, I’ve encountered numerous cases where domain theft resulted from security breaches. These often involve unauthorized access to web hosting accounts or the sites themselves, leading to compromised emails and the theft of multiple domains.