GoDaddy slapped with wet lettuce for years of lax security and 'several major breaches'
Watchdog alleged it had no SIEM or MFA, orders rapid adoption of basic infosec tools
GoDaddy has failed to protect its web-hosting platform with even basic infosec tools and practices since 2018, according to the FTC, but the internet giant won’t face any immediate consequences for its many alleged acts of omission.
As one of the world's largest web-hosting companies, and a registry and registrar with about 82 million domain names in its care, one would assume GoDaddy would be adept at applying software updates and monitoring security-related events in its hosting environment to protect its millions of customers and the visitors to their websites from online threats.
But according to a Wednesday statement from the FTC, “GoDaddy has failed to implement reasonable and appropriate security measures to protect and monitor its website-hosting environments for security threats, and misled customers about the extent of its data security protections on its website hosting services.”
A formal complaint [PDF] against the company, drawn up by the federal consumer watchdog, describes the biz as “blind to vulnerabilities and threats in its hosting environment" since 2018.
The complaint alleges the web-hosting giant failed to properly manage its assets and inventory, patch its software, assess risks to its hosting services, use multi-factor authentication, log security-related events, monitor for threats, segment its network, and secure connections to services providing access to consumer data.
"As a result of GoDaddy's data security failures, it experienced several major compromises of its hosting service between 2019 and December 2022, in which threat actors repeatedly gained access to its customers' websites and data, causing harm to its customers and putting them and visitors to their websites at risk of further harm," the complaint reads.
Failure to secure its systems make "GoDaddy's representations about security false or misleading," the FTC alleged.
- GoDaddy joins the dots and realizes it's been under attack for three years
- Marriott settles for a piddly $52M after series of breaches affecting millions
- Blackbaud has to cough up a few million dollars more over 2020 ransomware attack
- MGM says FTC can't possibly probe its ransomware downfall – watchdog chief Lina Khan was a guest at the time
One might assume the FTC would come down hard on GoDaddy – which ironically enough owns web security outfit Sucuri – for allegedly failing to secure its web-hosting services, potentially putting millions of Americans at risk. We'll let you down gently, here: Nope.
Instead, a settlement was proposed [PDF], approved by the FTC's commissioners in a 5-0 bipartisan vote, that gives GoDaddy 90 days to establish, implement, and maintain "a comprehensive information security program."
GoDaddy, which appears to be happy with that deal, does not admit or deny any of the allegations in the FTC complaint. A company spokesperson declined to answer The Register's specific questions — including: “Do you really not use security information and event management, aka SIEM? Or MFA?”
Instead, the spokesperson told us the biz is already on top of some of the infosec demands made of it by the FTC:
GoDaddy has a long history of offering innovative products to our web hosting customers. We are focused on protecting our customers' data and websites, and we invest significant resources in technologies, tools and talent to help safeguard systems and information. We are constantly improving our security capabilities and have already implemented a number of the requirements in the settlement agreement with the FTC.
Notably, the resolution of this matter includes no admission of fault and no monetary penalties. We expect minimal financial impact associated with complying with the terms of the agreement with the FTC. We plan to continue to invest in our defenses to address evolving threats and help keep our customers, their websites and their data safe.
Specifically, this infosec program requires the Arizona-based corporation to create a centralized inventory of hardware, software, and firmware, plus a system for managing updates to these components. GoDaddy also needs to start using automated tools, such as a SIEM, for near-real-time analysis of events, and create and retain system audit logs.
Under the order, which is open to public comment for the next 30 days, the hosting provider will have to roll-out at least one MFA method for all employees, staff, and contractors, and third-party affiliates who have access to any hosting service support tool, including connecting to any database.
Another requirement calls for all API calls to use HTTPS "or an equivalently secure transfer protocol for all requests," among other security measures.
In other words: Basic security hygiene.
Additionally, GoDaddy is prohibited from making misrepresentations about its security, and it has to hire a third-party assessor to review its infosec program.
And, did we mention, no fine? However, if the proposed consent order is finalized after the public-comment period and GoDaddy fails to comply with its terms, the biz could face civil penalties of up to $51,744 for each violation. ®