The U.S. Federal Trade Commission (FTC) has mandated that GoDaddy Inc., a prominent web hosting service, establish a comprehensive information security program following allegations of insufficient protective measures against cyber threats that endangered its customers. The enforcement action arises from a complaint lodged by the FTC, which claims that since 2018, GoDaddy has not implemented adequate security protocols to safeguard its website-hosting environment nor accurately communicated the effectiveness of its data protection measures to clients.
The FTC outlined a history of security lapses at GoDaddy, highlighting incidents involving significant breaches. Notable incidents include the exposure of 28,000 web hosting accounts in May 2020 and the theft of data pertaining to 1.2 million customers in November 2021. In the 2020 breach, an unauthorized individual exploited the Secure Shell (SSH) protocol—accessing customer accounts undetected for seven months. The subsequent data theft in 2021 involved an “unauthorized third party” capitalizing on a specific vulnerability to acquire sensitive customer details.
Additional troubling incidents trace back to 2018, when an employee of Amazon Web Services (AWS) inadvertently misconfigured a cloud instance, leading to exposed GoDaddy data. This breach raised concerns about GoDaddy’s lack of proactive security measures for its publicly accessible data, as there were no established processes for verifying data security in those environments.
These recurring security challenges have drawn the scrutiny of regulatory bodies, with the FTC finding that GoDaddy’s security practices are fundamentally inadequate. According to the FTC, the company failed to effectively inventory and manage assets, regularly update software, assess risks connected to its shared hosting services, and sufficiently log or monitor security events within its hosting environments. Furthermore, the absence of effective segmentation between shared hosting and less secure areas compounds the risk to customer data.
The FTC’s complaint alleges that GoDaddy misrepresented its security posture to customers, including assertions of compliance with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks, which mandate stringent data protection measures. Under the terms of the FTC order, GoDaddy is prohibited from making misleading claims concerning its security measures and must adopt robust, comprehensive security protocols going forward. Specifically, the order forbids GoDaddy from falsely asserting compliance with privacy and security standards, including the aforementioned Privacy Shield frameworks.
To ensure compliance, GoDaddy is required to create a detailed information security program aimed at protecting the confidentiality and integrity of its web hosting services. Additionally, the company must engage an independent third-party assessor to perform an initial security review and biennial evaluations of its information security program, reinforcing accountability and effectiveness of its measures.
Samuel Levine, the director of the FTC’s Bureau of Consumer Protection, emphasized the critical reliance that millions of businesses, particularly smaller enterprises, have on hosting providers like GoDaddy to secure their online assets. The FTC’s intervention is positioned as a necessary step to compel GoDaddy and similar companies to fortify their security frameworks in order to better protect consumers on a global scale.
From a cybersecurity perspective, the tactics employed in the described incidents may involve various stages of the MITRE ATT&CK framework. Potential adversary tactics include initial access through compromised valid accounts, persistence through maintaining unauthorized access over time, and privilege escalation by leveraging weaknesses in application security. These tactics underscore the need for continuous vigilance and robust protective measures in the web hosting sector, particularly as cyber threats continue to evolve.
The settlement is a positive development for GoDaddy’s customer base, marking a clear signal to web hosting providers about the critical nature of data security compliance. As organizations continue to navigate the complexities of cybersecurity, the emphasis on regulatory and protective measures will likely remain a focal point within the digital landscape.
