Introduction
Major security failures at GoDaddy have led to multiple customer data breaches [5], prompting an investigation by the US Federal Trade Commission (FTC) [5]. The FTC’s proposed settlement requires GoDaddy to implement a comprehensive information security program to address these security shortcomings and protect sensitive customer data [5].
Description
Major security failures at GoDaddy have resulted in multiple customer data breaches [5], prompting an investigation by the US Federal Trade Commission (FTC) [5]. The FTC’s proposed settlement mandates that GoDaddy implement a robust and comprehensive information security program to address allegations of inadequate security measures that left sensitive customer data vulnerable to cybercriminals and misled customers about the extent of its data security protections. The FTC’s complaint [3] [5] [8] [10] [11], supported by five commissioners [8], highlights significant security shortcomings since January 2018 [5], including failures to inventory and manage assets [1] [2] [5], assess risks [1] [2] [5] [11], log and monitor security events [5], and segment shared hosting from less-secure environments [5]. Specific accusations include neglecting basic cybersecurity practices such as managing software updates, implementing multi-factor authentication (MFA) [2] [4] [5] [8], and securing connections to services accessing consumer data [2]. Notable incidents include the exposure of approximately 28,000 customer SSH credentials in May 2020 due to unauthorized access, as well as the theft of data from 1.2 million WordPress customers in November 2021 [1], facilitated by compromised credentials accessing an API used by customer service [5]. Additionally, a misconfiguration in 2018 led to company data being exposed in an Amazon Web Services S3 bucket, further underscoring a lack of security oversight.
The FTC identified deficiencies in GoDaddy’s data security program [8], which was deemed unreasonable for a company of its size and complexity [8], violating Section 5 of the FTC Act [8]. The commission found that GoDaddy misled customers by claiming compliance with the EU-US and Swiss-US Privacy Shield Frameworks, which require reasonable protections for personal information [1]. The settlement requires GoDaddy to overhaul its cybersecurity practices [6], implement automated tools for near real-time event analysis [5], disconnect unsupported hardware from the Hosting Service environment [5], and enforce MFA for all employees and third parties with access to hosting tools [5]. GoDaddy is also required to document and regularly update its information security program, designate a qualified employee to oversee it [8], and conduct annual risk assessments [8].
Furthermore, the company is prohibited from making false claims regarding its security practices and compliance with privacy frameworks [3], including assurances of “24/7 network security.” GoDaddy will be required to test the effectiveness of its security measures at least annually and promptly after any security incident [5], and to hire an independent third-party assessor to review its security measures initially and biennially [3]. The FTC’s decision was unanimous [3], and the proposed consent agreement will be open for a 30-day public comment period before it is finalized [3]. Violations of the consent order could result in civil penalties of up to $51,744 per violation [3]. These measures aim to ensure that web hosting providers like GoDaddy enhance their security systems to effectively protect consumers [1].
GoDaddy [1] [2] [3] [4] [5] [6] [7] [8] [9] [10] [11], which serves around five million customers [4], has stated that it is committed to protecting customer data and has already begun implementing several requirements from the settlement agreement [2], although the resolution does not include an admission of fault or monetary penalties [2], and the company anticipates minimal financial impact from complying with the agreement [2]. The FTC emphasized the importance of securing websites for millions of small businesses that rely on web hosting providers [7], highlighting that GoDaddy’s security deficiencies led to several significant breaches between 2019 and 2022 [7], exposing consumers to risks such as redirection to malicious sites [7]. The FTC has also advised website owners to prioritize security when choosing a hosting provider [4], encouraging them to inquire about the technologies used for website security [4], the availability of MFA options [4], and the handling of suspicious activity reports [4].
Conclusion
The FTC’s intervention underscores the critical need for robust cybersecurity measures in the web hosting industry. By mandating comprehensive reforms at GoDaddy, the FTC aims to mitigate future risks and enhance consumer protection. This case serves as a reminder for all web hosting providers to prioritize security and for consumers to remain vigilant when selecting service providers. The ongoing improvements at GoDaddy are expected to set a precedent for industry standards, ensuring a safer digital environment for businesses and individuals alike.
References
[1] https://siliconangle.com/2025/01/16/ftc-orders-godaddy-strength-security-practices-years-data-breaches/
[2] https://www.techradar.com/pro/security/godaddy-told-to-up-security-practices-by-ftc
[3] https://www.ftc.gov/news-events/news/press-releases/2025/01/ftc-takes-action-against-godaddy-alleged-lax-data-security-its-website-hosting-services
[4] https://techstory.in/ftc-scolds-godaddy-cybersecurity-lapses/
[5] https://www.infosecurity-magazine.com/news/godaddy-security-failings-ftc/
[6] https://cybersecuritynews.com/ftc-slams-godaddy-security-practices/
[7] https://www.azcentral.com/story/money/business/2025/01/15/ftc-orders-godaddy-to-upgrade-online-security/77722009007/
[8] https://www.csoonline.com/article/3803988/ftc-orders-godaddy-to-fix-its-infosec-practices.html
[9] https://markets.businessinsider.com/news/stocks/ftc-announces-settlement-with-godaddy-over-data-security-allegations-1034232194
[10] https://news.bloomberglaw.com/privacy-and-data-security/godaddy-agrees-to-new-security-practices-to-settle-ftc-claims
[11] https://www.grcreport.com/post/ftc-cracks-down-on-godaddy-for-alleged-data-security-failures
