The US Federal Trade Commission (FTC) has directed web hosting provider GoDaddy to establish a comprehensive information security programme. This directive comes as part of a settlement addressing allegations that the company failed to secure its website-hosting services, leaving customers and their website visitors vulnerable to cyber threats.
The FTC alleges that GoDaddy has not implemented adequate safeguards to monitor and protect its hosting environments against potential attacks dating back to 2018. Furthermore, the company is accused of misleading its customers by overstating the security measures in place and misrepresenting its compliance with frameworks like the European Union (EU)-US and Swiss-US Privacy Shield agreements, which require companies to take reasonable steps to protect personal data.
“Millions of companies, particularly small businesses, rely on web hosting providers like GoDaddy to secure the websites that they and their customers rely on,” said FTC’s Bureau of Consumer Protection Director Samuel Levine. “The FTC is acting today to ensure that companies like GoDaddy bolster their security systems to protect consumers around the globe.”
According to the US government agency, GoDaddy experienced multiple security breaches between 2019 and 2022. During these incidents, attackers gained unauthorised access to customer websites and data. In some cases, these breaches redirected website visitors to malicious websites, creating additional risks for consumers. The FTC’s complaint attributes these breaches to several security failings on GoDaddy’s part. It alleges that the company failed to properly manage assets and software updates, conduct thorough risk assessments for its shared hosting services, and monitor its hosting environments for security-related events. The FTC also claims that GoDaddy did not adequately segment its shared hosting environment from less secure systems, leaving vulnerabilities that could be exploited.
Under the terms of the proposed settlement, GoDaddy is required to revamp its information security practices. The company must implement a comprehensive programme designed to protect the confidentiality, integrity, and security of its website-hosting services. The order also prohibits GoDaddy from making misleading claims about its security measures or compliance with privacy standards, including government and industry frameworks such as the Privacy Shield agreements. Additionally, GoDaddy must engage an independent third-party assessor to evaluate its security programme. The assessor will conduct an initial review and perform follow-up assessments every two years to ensure compliance with the settlement terms.
The FTC’s five-member Commission voted unanimously to issue the complaint and accept the proposed settlement. Commissioner Melissa Holyoak concurred with the overall decision but dissented on one count of the complaint. The settlement will be published in the Federal Register, where it will be open for a 30-day public comment period. During this time, stakeholders and members of the public can submit feedback. The FTC will then review the comments before deciding whether to finalize the consent order.
Industry-wide cybersecurity challenges
The agency’s directive follows years of cybersecurity challenges for GoDaddy and other hosting providers. In 2019, GoDaddy suffered a breach that compromised 28,000 hosting accounts, with usernames and passwords exposed for six months. In 2021, another breach impacted 1.2 million customers of its Managed WordPress hosting, exposing email addresses, phone numbers, admin passwords, SSL keys, and sFTP credentials. In 2023, the company disclosed a multi-year breach where attackers stole source code, installed malware, and redirected customer websites.
Other hosting companies have faced similar issues. In 2021, Epik, known for hosting controversial websites was hacked, exposing over a decade of data, including domain records and account credentials. The breach affected more than 15 million email addresses. HostGator also encountered security breaches, including a Trojan attack in 2006 and a 2012 social engineering breach targeting WHMCS, exposing user data and 500,000 credit card details.
Read more: US FTC launches antitrust probe into Microsoft’s cloud, AI, and licensing practices
