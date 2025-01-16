FTC formally complains about GoDaddy’s security claims

“Major compromises” between 2019 and 2022 are the cause for concern

GoDaddy has reached a settlement with the FTC for better security

A new Federal Trade Commission complaint has accused GoDaddy of misleading customers and failing to protect its web hosting services sufficiently.

The notice serves as a final warning to the company, which has been told to address security concerns that date as far back as 2018, however GoDaddy isn’t set to face any immediate consequences.

The list of mistakes reportedly made by the company has now been highlighted by the FTC in an official complaint, including violations of the FTC Act.

GoDaddy gets a telling off from the FTC

The long list accuses GoDaddy of failing to: “(a) inventory and manage assets; (b) manage software updates; (c) assess risks to its website hosting services; (d) use multi-factor authentication; (e) log security-related events; (f) monitor for security threats, including by failing to use software that could actively detect threats from its many logs, and failing to use file integrity monitoring; (g) segment its network; and (h) secure connections to services that provide access to consumer data.”

In the complaint, the FTC highlights some “major compromises” between 2019 and December 2022 which involved threat actors obtaining sensitive customer information. They include attacks in October 2019, March 2020, April 2020 and November 2021.

Redirections to malicious sites, data collection, mailer script infections, database attacks, user authentication vulnerabilities, outdated plugins and code, and DDoS attacks were all highlighted as potential implications of poor security in the FTC complaint.

Consequentially, GoDaddy has agreed to a settlement in which it is prohibited from making false or misleading security claims. It must also implement an information security program, conduct regular third-party compliance assessments and report security incidents to the FTC promptly.

GoDaddy sent us the following statement:

"GoDaddy has a long history of offering innovative products to our web hosting customers. We are focused on protecting our customers’ data and websites, and we invest significant resources in technologies, tools and talent to help safeguard systems and information. We are constantly improving our security capabilities and have already implemented a number of the requirements in the settlement agreement with the FTC.

"Notably, the resolution of this matter includes no admission of fault and no monetary penalties. We expect minimal financial impact associated with complying with the terms of the agreement with the FTC. We plan to continue to invest in our defenses to address evolving threats and help keep our customers, their websites and their data safe."