The FTC has imposed significant sanctions and remedial requirements on GoDaddy, one of the world’s largest web hosting and domain registration companies, over allegations of serious data security failures and misleading claims about its cybersecurity practices. This sheds light on the vulnerabilities that led to repeated breaches and highlights the enforcement consequences of failing to protect sensitive consumer information despite making soaring claims about cybersecurity in a company’s marketing materials.

Over a three-year period from 2019 to 2022, GoDaddy experienced multiple security breaches that exposed sensitive customer data, including login credentials, encryption keys, and even credit card information. The FTC’s found that these incidents resulted from systemic shortcomings in GoDaddy’s cybersecurity program, despite the company’s public assurances.

GoDaddy’s Alleged Failures

The FTC accused GoDaddy of violating Section 5 of the FTC Act, which prohibits unfair or deceptive practices. Specifically, the agency alleged that GoDaddy misrepresented its security practices by marketing itself as a secure hosting provider throughout it marketing materials, such as claiming to offer “24/7 threat monitoring” and “award-winning security.” In fact, GoDaddy’s security allegedly fell far short of basic industry standards, much less its own promises. These misleading statements gave consumers – many of which were small businesses – a false sense of security, potentially influencing their decisions to entrust GoDaddy with sensitive information and the fate of their digital storefronts.

GoDaddy’s deficiencies included:

• Lack of Multi-Factor Authentication (MFA): GoDaddy did not require MFA for administrative logins until after significant breaches occurred. Even then, it failed to offer MFA options for customer-facing systems.
• Poor Asset Management: The company failed to maintain a centralized inventory of its servers and software, leaving thousands of systems unpatched and vulnerable to exploitation. The company also failed to perform uniform and regular security software updates.
• Ineffective Monitoring: Security events were inconsistently logged, and essential monitoring tools, such as Security Information and Event Management (SIEM) systems, were not properly deployed.

As a result of its lax security, GoDaddy left itself exposed to multiple security incidents:

• 2019–2020: A breach originating in the customer-managed hosting environment spread to the Shared Hosting environment due to inadequate network segmentation. Attackers gained access to sensitive customer data, including website credentials and payment card information.
• 2021: Using compromised API credentials, attackers accessed data for 1.2 million customers. The breach exposed login credentials, encryption keys, and other sensitive details, highlighting weak controls over GoDaddy’s internal systems.
• 2022: Attackers exploited vulnerabilities that remained unresolved from the 2019 breach, redirecting website visitors to malicious sites. GoDaddy only discovered this breach after customer complaints, rather than from its own internal monitoring.

FTC Settlement Requirements

The settlement with the FTC imposes strict obligations on the GoDaddy to prevent future security lapses. The key terms include:

1. Comprehensive Information Security Program:
   • GoDaddy must establish a detailed cybersecurity framework, including written policies, annual risk assessments, and prompt responses to security incidents.
   • The program must account for the sensitivity of customer data and include safeguards proportionate to the risks involved.
2. Third-Party Assessments:
   • Independent audits of GoDaddy’s cybersecurity practices must be conducted every two years for 20 years. These assessments will evaluate the company’s compliance with industry standards and identify areas for improvement.
3. Incident Reporting and Remediation:
   • GoDaddy is required to report significant breaches to the FTC within 10 days and provide detailed accounts of remediation efforts.
   • Customers affected by future breaches must be notified promptly, with clear instructions on protective steps.
4. Senior Executive Accountability:
   • A senior executive must annually certify the company’s compliance with the settlement terms, ensuring leadership accountability for cybersecurity.

Lessons for Businesses

The GoDaddy case serves as a cautionary tale for organizations handling sensitive consumer data. Here are critical insights for businesses looking to avoid similar pitfalls:

1. Proactive Security is Essential

GoDaddy’s breaches with basic safeguards like asset management, risk assessment, MFA, real-time monitoring, and timely software updates. Businesses should invest in these foundational security measures to reduce vulnerabilities. There is a growing consensus among regulators concerning the minimum cybersecurity safeguards that businesses should have in place.

2. Transparency Matters

Misleading statements about security practices not only erode consumer trust but also invite regulatory scrutiny. Companies must ensure that marketing materials accurately reflect their capabilities and practices.

3. Prepare for the Inevitable

Even the best defenses cannot guarantee absolute security. Businesses should maintain robust incident response plans and allocate resources for rapid breach detection and mitigation.

4. Regulators Are Watching

The FTC’s action against GoDaddy underscores its commitment to holding companies accountable for cybersecurity failures. Businesses must stay informed about regulatory expectations and adapt their practices accordingly.