Federal Trade Commission Settles With GoDaddy Over Data Security Allegations
The Federal Trade Commission (FTC) has reached a resolution with GoDaddy, a prominent web hosting provider, concluding a case that alleges deceptive practices related to the company’s data security measures. In a unanimous decision on May 23, 2025, the FTC approved a settlement that requires GoDaddy to improve its security protocols and refrain from making inaccurate claims about its data protection practices.
The FTC had accused GoDaddy of failing to implement essential security features while promoting itself as possessing “award-winning security.” Specific shortcomings cited included the absence of multi-factor authentication, insufficient threat monitoring capabilities, and unsecured data connections, all of which facilitated unauthorized access to customer websites and sensitive data during multiple breaches. Furthermore, GoDaddy’s misleading statements about compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks were also called into question, raising concerns about its adherence to international data protection standards.
An FTC spokesperson remarked on the impact of GoDaddy’s security oversights, stating that inadequate security tools left customers exposed to significant risks. The breaches not only compromised sensitive information but also diminished consumer trust in GoDaddy’s hosting services, which support millions of websites worldwide.
Under the terms of the finalized settlement, GoDaddy is mandated to implement strict measures to enhance its security infrastructure. The company is prohibited from misrepresenting its security practices or its compliance with privacy standards. Instead, it must develop a comprehensive information-security program designed to safeguard customer data and ensure the confidentiality and integrity of hosted services. Additionally, GoDaddy is obligated to hire an independent third-party assessor to perform regular evaluations of its security measures to ensure ongoing compliance.
In the lead-up to the settlement, the FTC received several public comments regarding the proposed terms, with a full set of responses communicated to those who provided feedback prior to the finalization. Although the Commission’s vote was unanimous, Commissioner Melissa Holyoak expressed dissent concerning specific components related to the allegations surrounding the Privacy Shield Frameworks, voicing concerns about the implications of the charge.
Based in Scottsdale, Arizona, GoDaddy is one of the largest domain registration and web hosting companies, serving over 20 million customers. The breaches attributed to the company spanned several years and resulted in the exposure of personal and financial data, although exact figures regarding the number of affected websites remain undisclosed. While GoDaddy did not admit any wrongdoing, it agreed to the settlement as a means to address the allegations and mitigate potential repercussions.
This enforcement action by the FTC reflects the growing emphasis on data security across the tech sector. In 2024, the agency took similar measures against other companies whose inadequate data protection practices posed risks to consumers, indicating a concerted effort to tackle misleading claims related to security. GoDaddy is required to implement the mandated security improvements within 180 days, with third-party assessments slated to commence in 2026.
While consumers affected by the data breaches may not receive direct compensation as a result of this order, the focus on preventive security measures aims to safeguard against future risks. The FTC’s actions highlight the critical need for transparency in corporate security claims, especially for enterprises that handle sensitive consumer information.
The tactics and techniques potentially employed during these breaches align with the MITRE ATT&CK framework, raising concerns about initial access and persistence. A lack of adequate security measures could invite actors utilizing techniques such as credential dumping or exploitation of unsecured communications, ultimately leading to privilege escalation and unauthorized access to user data. The lessons from this case serve as a critical reminder for business owners to prioritize robust cybersecurity practices, ensuring that security claims match actual security capabilities.
