FTC accuses GoDaddy of lax data security for its webhosting services

The United States Federal Trade Commission (FTC) says that GoDaddy has failed to implement a decent data security policy for years. The regulator now demands that the webhosting company implements a robust information security program.
In its complaint, the FTC states that GoDaddy has failed to implement “reasonable and appropriate security measures” to protect and monitor its website hosting environments against security threats since 2018.
GoDaddy’s security practices include failing to inventory and manage assets and software updates, assess risks to its shared hosting services, adequately log and monitor security-related events in the hosting environment, and segment its shared hosting from less-secure environments.
These practices resulted in several major security breaches between 2019 and 2022, in which threat actors gained unauthorized access and exfiltrated customers’ data.
In addition, the FTC feels that GoDaddy misled customers about the extent of its data security protection on its website hosting services, for example, by claiming it was in compliance with EU/US and Swiss/US Privacy Shield Frameworks.
In a proposed settlement order, the FTC demands that GoDaddy establishes a comprehensive data security program similar to other businesses. Also, the company is prohibited from making misrepresentations about its security and the extent to which it complies with any privacy or security program.
Lastly, the FTC wants GoDaddy to hire an independent third-party assessor to conduct initial and biennial reviews of its data security program.
“Millions of companies, particularly small businesses, rely on web hosting providers like GoDaddy to secure the websites that they and their customers rely on. The FTC is acting today to ensure that companies like GoDaddy bolster their security systems to protect consumers around the globe,” Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, says in a statement.
In response to the FTC’s complaint, GoDaddy says safeguarding customers’ data and websites is the company’s top priority.
“We have invested in our security systems and continue to do so to help keep our customers, their websites and their data safe. We provide rigorous training for our employees to help them identify and stop potential threats. As we move forward, we plan to continue making improvements beyond the FTC's order to help provide additional protection for our customers in an effort to stay ahead of bad actors.”
In the settlement order, GoDaddy doesn’t admit any wrongdoing on its part, or pay any monetary fines or penalties.
With over 21 million webhosting customers and 62 million registered domains, GoDaddy is one of the largest webhosting companies in the world. In 2023, the company recorded a revenue of approximately $4.2 billion and a gross profit of almost $2.7 billion. GoDaddy employs over 6,100 employees worldwide.
Your email address will not be published. Required fields are marked