- FTC formally complains about GoDaddy’s security claims
- “Major compromises” between 2019 and 2022 are cause for concern
- GoDaddy has settled with the FTC for better security
A new Federal Trade Commission complaint has accused GoDaddy of misleading customers and failing to adequately protect its web hosting services.
The announcement serves as a final warning to the company, which has been asked to address security issues dating back as far as 2018, but GoDaddy is not set to face any immediate consequences.
The list of wrongdoings the company allegedly committed has now been highlighted by the FTC in an official complaint, including violations of the FTC Act.
GoDaddy receives notice from the FTC
The long list accuses GoDaddy of failing to: “(a) inventory and manage assets; (b) manage software updates; (c) assess risks to its website hosting services; (d) use multi-factor authentication; (e) log security-related events (f) monitor security threats, including by not using software that could actively detect threats from its multiple logs; and (g) segment its network; secure connections to services that provide access to consumer data.”
In the complaint, the FTC highlights some “major compromises” between 2019 and December 2022 that involved threat actors obtaining sensitive customer information. They include attacks in October 2019, March 2020, April 2020 and November 2021.
Redirects to malicious websites, data collection, mailer script infections, database attacks, user authentication vulnerabilities, outdated plugins and code, and DDoS attacks were all highlighted as potential implications of poor security in the FTC complaint.
As a result, GoDaddy has agreed to a settlement in which it is prohibited from making false or misleading security claims. It must also implement an information security program, conduct regular third-party compliance assessments, and report security incidents to the FTC promptly.
GoDaddy sent us the following statement:
“GoDaddy has a long history of offering innovative products to our web hosting customers. We are focused on protecting our customers’ data and websites, and we invest significant resources in technologies, tools and talent to help protect systems and information. We improve constantly our security features and has already implemented a number of the requirements of the settlement agreement with the FTC.
“Notably, the settlement of this case includes no admission of wrongdoing and no monetary penalties. We expect minimal financial impact associated with complying with the terms of the settlement with the FTC. We plan to continue to invest in our defense to address emerging threats and help keep our customers, their websites and their data secure.”
