The Federal Trade Commission (FTC) has finalized a settlement order with web hosting provider GoDaddy, resolving allegations that the company misled consumers by failing to implement basic data security measures. The order, approved by a unanimous 3-0 vote, follows a series of data breaches linked to GoDaddy’s inadequate cybersecurity practices.
In a complaint first announced in January 2025, the FTC charged that GoDaddy falsely marketed its services as offering “award-winning security” while neglecting to use standard protections to safeguard customer websites and data.
The Commission says GoDaddy did not adopt critical cybersecurity practices such as multi-factor authentication, aggressive threat monitoring, and secure data transmission practices. These deficiencies purportedly resulted in a number of security intrusions in which attackers enjoyed unauthorized access to customer accounts and confidential data.
The FTC also accused GoDaddy of misrepresenting its compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks. The company’s claims, the FTC said, were misleading to consumers and violated federal consumer protection laws.
Under the terms of the finalized order, GoDaddy is:
- Barred from misrepresenting its data security practices or its compliance with privacy frameworks endorsed by governments or industry bodies;
- Mandated to develop and implement a comprehensive information security program that protects the confidentiality, integrity, and availability of data managed through its web-hosting services;
- Required to undergo regular, independent third-party assessments of its cybersecurity program to ensure compliance and effectiveness.
The Commission received three public comments before finalizing the order. Commissioner Melissa Holyoak issued a partial dissent on one count of the original complaint but concurred with the overall decision.
This enforcement action is part of the FTC’s broader mandate to protect consumers and promote fair competition.
Consumers wanting more information on data privacy and fraud prevention are encouraged to visit consumer.ftc.gov or file complaints at ReportFraud.ftc.gov. The FTC continues to share updates via social media, consumer alerts, and its business blog.
Elevating API Security
Eric Schwake, Director of Cybersecurity Strategy at Salt Security says the FTC’s final order against GoDaddy demands a more foundational security program due to repeated breaches and claims of misrepresenting security practices, marking a significant development.
“The concern arises from the breaches and the FTC’s findings that GoDaddy lacked basic security hygiene, especially regarding essential elements like APIs. This order requires GoDaddy to adopt stringent API security measures, including employing HTTPS for all API communications, enhancing authentication with MFA, and implementing thorough monitoring and rate-limiting. Such requirements elevate API security from a recommended practice to a regulatory necessity, highlighting the urgent need for a robust API posture governance strategy to continuously evaluate, appraise, and protect all API assets. This sets a significant precedent, indicating that regulatory agencies are increasing their scrutiny of organizations’ overall security practices, compelling them to establish comprehensive security programs with a strong focus on their API infrastructure for legal compliance and risk management.”
A Shift in Regulatory Tone
The FTC’s order against GoDaddy represents a significant shift in regulatory tone, this is no longer just about fines or slap-on-the-wrist guidance, comments Heath Renfrow, CISO and Co-founder at Fenix24. “The agency is mandating foundational security practices that should already be standard across the industry, such as multi-factor authentication, vulnerability management, and secure software practices. The most notable element is the FTC’s insistence on proactive, transparent security governance, this is a good attempt to set a clear precedent.”
What makes this case particularly important is that it highlights the consequence of misleading customers about security capabilities, Renfrow adds. “We’ve seen for too long that marketing claims often outpace actual risk management. By requiring an independent third-party assessment and rapid breach reporting, the FTC is making is attempting to say: ‘security theater’ is no longer acceptable.”
Renfrow does not believe this will ripple across the tech and hosting industry. “Companies that have delayed implementing true security programs or do not understand how to implement a program. There is no sense of urgency with most companies and a false sense of hope. This will be a blip on the radar for most.”
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.