GoDaddy, one of the largest web-hosting companies globally, has been accused by the Federal Trade Commission (FTC) of neglecting basic cybersecurity practices since 2018, putting millions of customers and their website visitors at risk. Despite multiple security breaches between 2019 and 2022, the internet giant will face no fines under a proposed settlement.
The FTC claims GoDaddy failed to implement fundamental security measures such as multi-factor authentication (MFA), proper risk assessments, and threat monitoring. Additionally, the company allegedly misrepresented the extent of its security capabilities to customers, further exacerbating the issue. The breaches reportedly allowed threat actors to repeatedly compromise customer websites and steal sensitive data.
According to the FTC complaint, GoDaddy’s security lapses included not maintaining a centralized inventory of its assets, neglecting to patch software vulnerabilities, and failing to monitor for suspicious activity. These deficiencies resulted in repeated breaches that exposed users to harm.
Rather than imposing financial penalties, the FTC’s settlement requires GoDaddy to implement a comprehensive information security program within 90 days. The program will mandate MFA for employees and affiliates, automated tools for real-time security monitoring, and secure protocols like HTTPS for all API calls. The agreement also prohibits GoDaddy from making misleading statements about its security practices.
GoDaddy responded positively to the settlement, emphasizing its ongoing investment in security enhancements. “We are constantly improving our security capabilities,” a company spokesperson said. However, critics argue that these measures are long overdue and reflect the bare minimum of security hygiene expected in today’s digital environment.
Under the settlement, GoDaddy faces no admission of wrongdoing and avoids financial penalties. However, failure to comply with the agreement could result in civil fines of $51,744 per violation. The settlement is open for public comment, leaving some questioning whether this resolution adequately addresses the risks posed by GoDaddy’s alleged negligence.
As cybersecurity threats escalate, this case underscores the critical importance of enforcing robust standards for companies entrusted with massive amounts of sensitive data. For now, GoDaddy’s customers may find themselves waiting to see if promised improvements deliver the protection they deserve.
