FTC Orders GoDaddy to Fix Inadequate Security Practices

Having found GoDaddy's security policies inadequate, the Federal Trade Commission (FTC) is requiring the Web hosting company to implement a more rigorous set of security practices.

According to the FTC's complaint, "GoDaddy has failed to implement reasonable and appropriate security measures to protect and monitor its website-hosting environments for security threats, and misled customers about the extent of its data security protections on its website hosting services" since 2018, the agency said in a statement.

The FTC found GoDaddy failed to manage assets and software updates, assess risks to shared hosting services, adequately log and monitor any security-related events, and segment its shared hosting from insecure environments.

These cybersecurity failures led to several security breaches between 2019 and 2022, where hackers were able to gain unauthorized access to customers' websites and data, putting consumers of these websites at risk, according to the FTC. 

All this while GoDaddy claimed on its websites, social media, and emails that it "deployed reasonable security and that it was in compliance with the EU-US and Swiss-US Privacy Shield Frameworks," ultimately misleading its customers.

Going forward, GoDaddy is required to establish and implement a comprehensive information-security program, and must hire an independent third-party to perform biennial reviews of its security program.