FTC Orders GoDaddy to Bolster its Security After Years of Attacks
Federal regulators are telling giant web hosting firm GoDaddy that it needs to drastically improve its security operations following a series of data breaches that date back seven years if it expects to settle charges brought against it.
In a settlement document released this week, the Federal Trade Commission (FTC) ordered the Arizona-based company to meet a range of conditions that prohibit GoDaddy from misrepresenting the capabilities of its security tools and force it to implement a strong security program.
In addition, GoDaddy must submit to an initial review and then undergo evaluations of its security operations every two years by third-party assessors.
The requirements include designating one person to be in charge of an information security program, implement SIEM or some other tool that can run near-real-time analysis of security events, create a system of audit logs, address authentication issues with certificates, private-public key pairs, or similar technologies, and mandate multifactor authentication for employees, contractors and third-party affiliates.
All the steps are meant to ensure that such a series of attacks that have compromised GoDaddy and its systems since 2018 can’t be repeated.
“Millions of companies, particularly small businesses, rely on web hosting providers like GoDaddy to secure the websites that they and their customers rely on,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in a statement, noting that the company has about 5 million web hosting customers.
Series of Security Failures
The FTC pointed to failures by GoDaddy to protect the data it holds that led to “several major security breaches” between 2019 and 2022, which allowed threat actors to access customer websites and data and exposed consumers who used those sites to risks. Some consumers were redirected to malicious websites.
Throughout all this, GoDaddy misled customers about the extent of its security operations through statements on its websites and ads in emails and social media sites, according to the FTC. The company boasted that its security complied with Privacy Shield frameworks agreed upon by the United States, the EU and Switzerland. The frameworks mandated companies to take “reasonable and appropriate measures” to protect personal information.
‘Blind to Vulnerabilities and Threats’
In its 14-page complaint, the FTC said that despite presenting itself as a secure hosting site, GoDaddy was “blind to vulnerabilities and threats in its hosting environment. Since 2018, GoDaddy has violated Section 5 of the FTC Act by failing to implement standard security tools and practices to protect the environment where it hosts customers’ websites and data, and to monitor it for security threats.”
That included failing to manage and inventory its assets and software updates, assess the risks to its hosting services, use multifactor authentication, log security-related incidents, use software to detect threats from its logs, segment its network and secure connections to services that involved consumer data.
An Easy Target
The FTC outlined an attack in 2019, when a bad actor accessed the company’s shared hosting environment by exploiting an unpatched vulnerability in the customer-managed hosting space and then moving laterally via a server that connected various environments. An investigation by GoDaddy’s security team found that more than a third of the 254 specialized servers were running software with security flaws.
There were at least two incidents the next year, including one in which a bad actor that has been in the shared hosting environment for six months caused GoDaddy’s front page website to go dark and another a month later in which several kinds of app files in about 45,000 specialized GoDaddy servers were replaced by malicious versions, compromising about 28,000 customer and 199 employee credentials.
The complaint also detailed other attacks in 2021 and 2022, the last of which was suspected of being perpetrated by the same threat actors that launched the 2020 compromise of the specialized servers. They reportedly lingered in the systems for years.
