- FTC Officially Complains About GoDaddy Security Claims
- The “major compromises” between 2019 and 2022 are worrying
- GoDaddy reaches agreement with FTC for better security
A new complaint from the Federal Trade Commission accuses GoDaddy of misleading its customers and failing to adequately protect its web hosting services.
The notice serves as a final warning for the company, which has been asked to address security concerns dating back to 2018, but GoDaddy is not prepared to face immediate consequences.
The list of errors allegedly made by the company was highlighted by the FTC in a formal complaint, including violations of the FTC Act.
GoDaddy gets reprimanded by the FTC
The long list accuses GoDaddy of failing to: “(a) inventory and manage assets; (b) manage software updates; (c) assess the risks associated with its website hosting services; (d) use multi-factor authentication; (e) record security-related events; (f) monitor for security threats, including failing to use software capable of actively detecting threats from its numerous logs and failing to use file integrity monitoring; (g) segment its network; and (h) secure connections to services that provide access to consumer data.
In the complaint, the FTC highlights certain “major compromises” between 2019 and December 2022 that involved malicious actors obtaining sensitive customer information. These include the attacks of October 2019, March 2020, April 2020 and November 2021.
Redirects to malicious sites, data harvesting, email script infections, database attacks, user authentication vulnerabilities, outdated plugins and code, and DDoS attacks have all been highlighted as potential implications of poor security in the FTC complaint.
As a result, GoDaddy agreed to a settlement prohibiting it from making false or misleading security claims. It must also implement an information security program, conduct regular third-party compliance assessments, and promptly report security incidents to the FTC.
GoDaddy sent us the following statement:
“GoDaddy has a long history of providing innovative products to our web hosting customers. We are focused on protecting our customers’ data and websites, and we invest significant resources in technologies, tools and talent to help protect protect systems and information We are constantly improving our security capabilities and have already implemented a number of requirements of the settlement agreement with the FTC.
“Notably, the resolution of this matter does not include any admission of wrongdoing or monetary sanctions. We anticipate minimal financial impact associated with complying with the terms of the agreement with the FTC. We plan to continue investing in our defenses to meet evolving threats and help keep our customers, their websites and their data secure.
