FTC Mandates Security Overhaul for GoDaddy Following Data Breaches

The U.S. Federal Trade Commission (FTC) has directed web hosting provider GoDaddy to implement a comprehensive information security program. This action addresses allegations that the company failed to secure its website-hosting services, leaving customers and their website visitors vulnerable to cyber threats.

Background of the FTC's Action

Since 2018, GoDaddy has allegedly neglected to implement adequate safeguards to monitor and protect its hosting environments against potential attacks. The FTC also accuses the company of misleading its customers by overstating the security measures in place and misrepresenting its compliance with frameworks like the European Union (EU)-US and Swiss-US Privacy Shield agreements, which require companies to take reasonable steps to protect personal data.

Details of the Security Breaches

Between 2019 and 2022, GoDaddy experienced multiple security breaches:

• In 2019, attackers gained unauthorized access to approximately 28,000 hosting accounts.
• In 2021, a breach impacted up to 1.2 million WordPress customers, exposing email addresses, phone numbers, admin passwords, SSL keys, and sFTP credentials.
• In 2023, the company disclosed a multi-year breach where attackers stole source code, installed malware, and redirected customer websites.

FTC's Settlement Requirements

Under the proposed settlement, GoDaddy is required to:

• Implement a comprehensive information security program designed to protect the confidentiality, integrity, and security of its website-hosting services.
• Refrain from making misleading claims about its security measures or compliance with privacy standards, including government and industry frameworks such as the Privacy Shield agreements.
• Engage an independent third-party assessor to evaluate its security program, with an initial review followed by assessments every two years to ensure compliance with the settlement terms.

Implications for the Industry

This action by the FTC underscores the critical importance of robust cybersecurity measures for web hosting providers. Millions of companies, particularly small businesses, rely on these services to secure their online presence. The FTC's intervention aims to ensure that companies like GoDaddy bolster their security systems to protect consumers globally.

Conclusion

The FTC's directive serves as a reminder for all web hosting providers to prioritize cybersecurity and maintain transparency with their customers regarding data protection measures. Implementing comprehensive security programs and adhering to privacy standards are essential steps in safeguarding user data and maintaining trust in digital services.

Sources

• FTC Takes Action Against GoDaddy for Alleged Lax Data Security
• US FTC mandates security overhaul for GoDaddy after data breaches
• GoDaddy Accused of Serious Security Failings by FTC
• FTC orders GoDaddy to fix its infosec practices
• FTC orders GoDaddy to bolster IT security
• FTC Requires GoDaddy to Overhaul Security Measures to Protect Customers
• GoDaddy to Settle FTC Charges of 'Unreasonable Security Practices'
• GoDaddy to Improve Data-Security Practices Under FTC Settlement
• Controversies surrounding GoDaddy