GoDaddy’s Cybersecurity Called into Question

The Federal Trade Commission (FTC) has filed a complaint that GoDaddy has violated Section 5 of the FTC Act pertaining to “unfair methods of competition” through “unfair or deceptive acts or practices.”

The complaint details how GoDaddy’s failure to implement standard security tools and practices for protecting the environment where it hosts customers’ websites and data, coupled with the insufficient monitoring of said environment for security threats, contradicted their promotional claim to be a secure option for hosting.

The FTC Won’t Let Me Be

The FTC asserts that “GoDaddy’s data security program was unreasonable for a company of its size and complexity.” Supporting this position by identifying specific key failings, namely to inventory and manage assets, manage software updates, assess risks to its services, implement multi-factor authentication, log security-related events, monitor for threats, segment its network, and secure connections to services with consumer data.

These failures, the FTC states, have resulted in “several major compromises of its hosting service between 2019 and 2022, in which threat actors repeatedly gained access to its customers’ websites and data.” By its very nature, this access placed GoDaddy’s customers, their customers’ websites, and their customers’ consumers in harm and their sensitive data at risk.

Is GoDaddy Still the Go-to?

For individuals and companies looking to get their business online with a domain name or start a website, blog, online store, or e-commerce site, GoDaddy has, for many years, been the go-to. Since its inception in 1997, GoDaddy has been on a self-proclaimed mission to empower entrepreneurs worldwide by providing them with the tools required to grow in the online space.

In terms of growing their business and obtaining customer trust, their mission has been undeniably successful thus far. At the time of writing, the GoDaddy homepage states that customers have entrusted them with 82 million domain names, and they feature their Trustpilot TrustScore of 4.8 out of 5 stars, aggregated from over 114,000 reviews. Since at least 2015, it has promoted itself as a secure option for hosting, highlighting its commitment to data security and threat monitoring. However, this complaint cites GoDaddy’s data security measures as inadequate and their security claims misleading.

Whatever Next?

In order to resolve the issues raised by the FTC and align GoDaddy’s policies and procedures with its messaging, the FTC has proposed a settlement order. The order is currently subject to public comment for 30 days; if it is eventually finalized, then a violation could result in a civil penalty of up to $51,744.

The proposed order can be summarised into three key points. Firstly, it will prevent GoDaddy from making false claims about its security and privacy compliance. Secondly it will require GoDaddy to establishment a comprehensive information security program to protect its web hosting services. Finally, it will mandate the hiring of an independent assessor for initial and biennial evaluations of this program.

Industry Analysis

The story has potentially serious implications for the industry, and it has elicited somewhat mixed reactions to both the complaint and the proposed order.

Ilia Kolochenko, CEO of ImmuniWeb and a Fellow at the British Computer Society (BCS), believes that the settlement sends several important messages. A direct message to web hosting companies underlining the importance of data security, as well as to companies conducting ‘any Internet business without due care about your cybersecurity and privacy programs’ that the FTC will act on your negligence.

The well-respected technology news publication The Register strikes a different tone, however. It likens the action being faced by GoDaddy from the FTC to “being slapped with a wet lettuce” and is surprised at the lack of a fine when they have been identified as having years of “lax security” and experienced “several major breaches.”