In one of its last data security enforcement actions of the Biden Administration, the Federal Trade Commission (FTC) brought claims against GoDaddy, one of the world’s largest web hosting companies, for allegedly failing to implement reasonable security measures to protect its customers’ websites and data. The FTC’s complaint alleges that GoDaddy’s security failures led to multiple major breaches between 2019 and 2022, exposing customers and visitors to their websites to significant harm.
FTC Allegations
According to the FTC’s complaint, GoDaddy has been marketing itself as a secure hosting provider since at least 2015, touting its commitment to data security and threat monitoring practices. However, the FTC argues that GoDaddy’s data security program was inadequate for a company of its size and complexity. The FTC alleged a variety of security failures by GoDaddy, including:
- Failure to inventory and manage assets;
- Inadequate management of software updates, including not tracking whether operating systems and software were up to date on security patches and not retiring end-of-life systems;
- Insufficient risk assessments that failed to consider the sensitivity of information in the shared hosting environment;
- Lack of adequate logging of security-related events;
- Failure to monitor for security threats, including failing to fully implement a security incident and event manager (SIEM) to detect suspicious activity;
- Not using file integrity monitoring;
- Reliance on username/password authentication for employee access instead of more secure alternatives like SSH certificates;
- Failure to implement multi-factor authentication (MFA) for employee logins and not offering it to customers;
- Inadequate segmentation of its shared hosting environment from less secure networks; and
- Failure to secure connections to services, such as APIs that provide access to consumer data.
Consequences of GoDaddy’s Security Failures
The FTC alleges that GoDaddy’s inadequate security practices resulted in multiple major security breaches between 2019 and 2022, including:
- October 2019: A threat actor gained access to GoDaddy’s shared hosting environment through an unpatched vulnerability, which was not discovered until April 2020. This breach led to the compromise of 28,000 customer credentials and 199 employee credentials. Attackers were also able to capture approximately 1,000 customer credit card numbers.
- November 2021: A threat actor accessed an internet-facing API, exposing the data of 1.2 million customers of GoDaddy’s Managed WordPress product, including email addresses, passwords, and private keys.
- December 2022: GoDaddy’s cPanel service was compromised again by the same threat actor from the 2019-2020 breach, leading to the theft of customer credentials and the redirection of some website visitors to malicious sites.
Settlement Order Terms
To settle the charges, the FTC has issued a proposed order that requires GoDaddy to take several steps to improve its data security practices. The order will:
- Prohibit GoDaddy from misrepresenting its security practices and compliance with any privacy or security program;
- Require GoDaddy to establish and implement a comprehensive information security program to protect its website-hosting services. This program must include:
- Documenting the program in writing and providing it to the board of directors or a senior officer responsible for the program;
- Designating a qualified employee to coordinate and be responsible for the program;
- Assessing and documenting internal and external risks;
- Implementing safeguards based on risk assessments;
- Maintaining centralized system component inventories;
- Employing automated tools for near real-time analysis of events;
- Creating and retaining system audit logs;
- Requiring secure shell logins by employees using a method that is not static across multiple authentications, or an equivalent alternative;
- Disconnecting all hardware assets with unsupported software or temporarily implementing controls to mitigate threats;
- Using technical measures to detect and prevent anomalous changes to critical operating system and application files;
- Requiring multi-factor authentication (MFA) for all employees, contractors, and third-party affiliates to access any hosting service, using methods that are resistant to phishing attacks;
- Offering MFA options to customers, including at least one option that does not require a phone number;
- Protecting APIs that provide access to hosting service configurations or covered information;
- Assessing the sufficiency of safeguards at least once every 12 months;
- Testing and monitoring the effectiveness of safeguards at least once every 12 months, including vulnerability scanning and penetration testing;
- Selecting and retaining service providers capable of safeguarding hosting services and customer data;
- Evaluating and adjusting the Information Security Program as needed; and
- Assessing the safeguards of any acquired entity and testing their effectiveness prior to integration.
- Mandate that GoDaddy hire an independent third-party assessor to conduct an initial and biennial review of its information security program; and
- Provide annual certifications to the FTC from a senior executive officer of each respondent attesting that they have established, implemented and maintained the requirements of the order.
Implications
This action against GoDaddy reiterates the FTC’s continuing guidance that robust security practices are not optional when personal data is involved. Companies should recognize the importance of a proactive approach to data security, regularly assessing their vulnerabilities and implementing robust security controls, not waiting for a breach to occur before addressing their shortcomings. The FTC’s order also demonstrates that companies will be held accountable for any misrepresentations they make to customers regarding their security practices. While much is doubtless going to change in the Trump Administration’s new FTC, this unanimous decision suggests that cybersecurity enforcement may continue to be a priority for the FTC.
