The Federal Trade Commission (FTC) has charged GoDaddy with failing to secure its hosting environment, leading to several major data breaches. This settlement mandates GoDaddy to implement basic security protections, including mandatory multi-factor authentication (MFA) and regular third-party security assessments, to settle charges of poor security practices that exposed millions of customer websites to risk.

The FTC’s Allegations Against GoDaddy

According to the FTC complaint, GoDaddy misrepresented its security measures through various marketing channels, including its main website, emails, and the “Trust Center.” The complaint asserts that since at least 2015, GoDaddy marketed itself as a secure choice for web hosting, boasting about its commitment to data security and robust threat monitoring practices. However, despite these claims, GoDaddy’s security program was found to be inadequate, considering the size and complexity of the company.

The FTC alleges that since 2018, GoDaddy violated Section 5 of the FTC Act by failing to implement essential security practices, leaving its hosting environment vulnerable to attacks. GoDaddy’s lack of proper security monitoring and risk management allowed attackers to exploit these vulnerabilities, compromising the safety of both customers and visitors to their websites.As Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, noted, “GoDaddy’s security failures highlight the importance of securing not just customer data but also the infrastructure hosting websites that businesses and consumers depend on.”

The Security Failures and Breaches

GoDaddy’s failure to secure its infrastructure led to several major security breaches between 2019 and 2022, with the most notable breach occurring in February 2023. Hackers gained access to GoDaddy’s cPanel shared hosting environment, stealing source code and installing malware on compromised servers. The breach wasn’t detected until December 2022, when customers reported that their websites were redirecting to suspicious domains.

Additionally, GoDaddy had suffered two other significant breaches: one in November 2021 that affected 1.2 million Managed WordPress customers and another in March 2020. In both cases, attackers gained access to sensitive data, including admin credentials and SSL private keys.

The lack of multi-factor authentication (MFA), proper network segmentation, and threat monitoring tools left these vulnerabilities unchecked, allowing attackers to exploit them for years without detection.

Proposed Settlement and GoDaddy’s Obligations

To settle these charges, the FTC has proposed a set of requirements aimed at addressing GoDaddy’s security failures:

  1. Prohibit Misrepresentation: GoDaddy must no longer mislead customers about its security practices or its compliance with government or industry privacy and security standards, including the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks.
  2. Comprehensive Information Security Program: The company is required to implement a comprehensive security program to protect its hosting services. This program will focus on the confidentiality, integrity, and availability of customer data.
  3. Independent Third-Party Assessments: GoDaddy must hire an independent third-party assessor to review its security practices. The first review will be conducted immediately, followed by biennial assessments to ensure that its security program stays up-to-date with evolving threats.

These measures are designed to address the significant security lapses that have put both GoDaddy’s customers and their visitors at risk.

GoDaddy’s Response and Future Steps

In response to the FTC’s findings, GoDaddy has acknowledged the need for improvement and confirmed that it has already implemented some of the requirements outlined in the proposed settlement. The company has expressed a commitment to continually invest in its security infrastructure to address evolving threats.

“We are constantly improving our security capabilities and have already implemented a number of the requirements in the settlement agreement with the FTC,” GoDaddy stated. “We plan to continue to invest in our defenses to address evolving threats and help keep our customers, their websites, and their data safe.”

While GoDaddy has not admitted fault and the settlement does not include monetary penalties, the company faces significant reputational damage. However, it also demonstrates GoDaddy’s willingness to correct its course and strengthen its security measures to prevent future breaches.

42Works’ Take on GoDaddy’s Security Lapses

At 42Works, we believe that web hosting security should never be optional. GoDaddy’s case serves as a stark reminder that neglecting basic security measures can lead to costly breaches and reputational damage. As a tech and web development company, we ensure that our security practices meet the highest standards, safeguarding both client and user data.

This is a call to action for all businesses—whether you’re a small startup or an established enterprise, don’t let your website be an easy target. Strong security foundations not only protect your data but also build trust with your customers.

Take Charge of Your Website’s Security

Is your website secure enough? Don’t wait for a breach—contact us at 42Works to ensure your digital presence is built with top-tier security. Let’s protect what matters most. Secure your website today with 42Works!

Share this article

42Works

42Works

about the author
Anmol Rajdev, Founder & CEO of 42works, leads a team of 80+ experts in web and mobile development. Anmol is a technical architect powerhouse with 500+ successful projects under his belt, spanning industries from finance to fitness.
related articles
News

TikTok U.S. Ban Temporarily Halted for 75 Days: Alternatives and Search Trends Surge

January 21, 2025
News

OpenAI Sora Is Here – A New Era of Text-to-Video AI

December 11, 2024
DOJ vs Google
Digital Marketing

DOJ vs Google: Final Arguments Challenge Ad Monopoly

November 26, 2024