FTC cracks down on GoDaddy for cybersecurity failings
The web hosting giant GoDaddy will be required to bolster its cybersecurity program to address years-long deficiencies, the Federal Trade Commission (FTC) announced on Wednesday.
GoDaddy’s failure to use industry standard security measures led to what the FTC called “several major security breaches” between 2019 and 2022. The agency also alleges that GoDaddy deceived its customers about how adequately it safeguards its web hosting product.
Consumers were sent to malicious websites and otherwise harmed after hackers broke into GoDaddy customers’ websites and accessed data, the agency said.
The extensive information security measures which the FTC is requiring GoDaddy adopt are similar to the reforms the agency ordered Marriott to implement after the hotel chain failed to improve its cybersecurity posture despite being breached three times between 2014 and 2020, the FTC said.
“Millions of companies, particularly small businesses, rely on web hosting providers like GoDaddy to secure the websites that they and their customers rely on,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, said in a statement explaining why the FTC acted.
GoDaddy, based in Arizona, has about five million web hosting clients, the agency said.
The company failed to track and manage software updates; analyze threats to its shared hosting services; properly log and continuously assess cybersecurity incidents; and silo its shared hosting from more insecure platforms, according to the FTC’s complaint.
GoDaddy also falsely advertised that it prioritized a strong security program and complied with international frameworks requiring companies take “reasonable” measures to protect personal data, the agency said in a press release.
The proposed settlement order bars GoDaddy from exaggerating its security practices; orders it to design a “comprehensive” information-security program; and directs it to retain an outside company to assess its enhanced cybersecurity program when it launches and every two years thereafter.
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.