Thu 23. Jan 2025, 20:16
Yellow card for GoDaddy: the US Federal Trade Commission (FTC) wants to order the world's leading hosting provider to implement a security program due to its careless handling of customer data.
With over 20 million customers worldwide and more than 82 million domain names under management, the company founded by Bob Parsons in 1997 has held the title of the world's largest domain registrar for many years. But where there is light, there is also shadow. According to the FTC's findings, there is reason to believe that both GoDaddy Inc. and GoDaddy.com LLC have violated the provisions of the Federal Trade Commission Act. Since at least 2015, GoDaddy has marketed itself as a secure choice for customers to host their websites, touting its commitment to data security. In fact, however, GoDaddy's data security program was inadequate for a company of its size and complexity, according to an FTC complaint. Despite its assurances, GoDaddy was “blind to vulnerabilities and threats in its hosting environment”. Since 2018, GoDaddy has allegedly violated Section 5 of the FTC Act by failing to implement standard security tools and practices to protect the environment in which GoDaddy hosts customer websites and data. The complaint lists the following specific failures: “(a) inventory and manage assets; (b) manage software updates; (c) assess risks to its website hosting services; (d) use multi-factor authentication; (e) log security-related events; (f) monitor for security threats, including by failing to use software that could actively detect threats from its many logs, and failing to use file integrity monitoring; (g) segment its network; and (h) secure connections to services that provide access to consumer data.” As a result of these security vulnerabilities, several major breaches occurred between 2019 and December 2022, in which unauthorized third parties allegedly repeatedly gained access to customers' websites and data.
To resolve the complaint, the FTC has proposed a settlement order in which GoDaddy commits to establishing a comprehensive data security program. According to the FTC, the program is similar to other cases, including the recent settlement with the Marriott International hotel chain. Among other things, the settlement provides for the following three conditions: (a) GoDaddy shall be prohibited from making misrepresentations about its own security and level of compliance with any privacy or security program supported by any government, self-regulatory or standards organization (including the EU-US and Swiss-US Privacy Shield Frameworks); (b) GoDaddy must commit to establishing and implementing a comprehensive information security program that protects the security, confidentiality, and integrity of its website hosting services; and GoDaddy must (c) commit to retaining an independent auditor to conduct an initial and biennial review of the information security program. The FTC will soon publish a description of the consent agreement. After publication, the general public will have 30 days to comment on the agreement, after which a commission will decide whether the proposal becomes final. GoDaddy itself would not be required to admit wrongdoing if the settlement is accepted, nor would GoDaddy be immediately required to pay any money to the FTC.
“Millions of companies, particularly small businesses, rely on web hosting providers like GoDaddy to secure the websites that they and their customers rely on,” said Samuel Levine, Director of the FTC's Bureau of Consumer Protection. “The FTC is acting today to ensure that companies like GoDaddy bolster their security systems to protect consumers around the globe.”
The FTC's complaint can be found at:
https://www.ftc.gov/system/files/ftc_go ... plaint.pdfThe FTC's settlement order can be found at:
https://www.ftc.gov/system/files/ftc_go ... dorder.pdf