GoDaddy is slapped by wet lettuce after years of lax security.
As the largest web-hosting company in the world, GoDaddy is also a registry and domain registrar, with 82 million registered domain names. One would expect that as a large hosting company, it would be able to apply software updates and monitor security-related events to its hosting environment in order to protect its millions customers and visitors to their website from online threats. The federal consumer watchdog has filed a formal complaint [PDF] describing the business as “blind” to vulnerabilities and threats within its hosting environment since 2018. The complaint claims that the web hosting giant failed to properly maintain its assets and inventory. It also alleges that it failed to patch its software, assess risk to its hosting services and use multi-factor authorization.
“As a result of GoDaddy’s data security failures, it experienced several major compromises of its hosting service between 2019 and December 2022, in which threat actors repeatedly gained access to its customers’ websites and data, causing harm to its customers and putting them and visitors to their websites at risk of further harm,” the complaint reads. “GoDaddy’s representations about security false or misleading,” The FTC claimed that
GoDaddy failed to secure its systems.
- Marriott settles for $52M for a series of breaches that affected millions
- Blackbaud must pay a few more million dollars for the 2020 ransomware attacks
- MGM claims the FTC cannot possibly investigate its ransomware failure – watchdog head Lina Khan was present at the time.
- MGM claims the FTC cannot possibly probe its ransomware fall – watchdog director Lina Khan attended the event.
- Let us disappoint you gently: Nope.
Instead a settlement [PDF]was proposed “a comprehensive information security program.”
which was approved by the FTC commissioners on a 5-0 vote bipartisan, giving GoDaddy 90 days for GoDaddy to establish, implement, maintain”a comprehensive information security program.”
GoDaddy appears to be satisfied with the deal and does not deny or admit any of the allegations made in the FTC complaint. A company spokesperson refused to answer specific questions from The Registerincluding: “Doesn’t GoDaddy use SIEM, or security information and event monitoring?” Or MFA?”
The spokesperson instead told us that the biz was already on top of certain infosec demands made by the FTC. GoDaddy must also start using automated tools such as a SIEM for near-real time analysis of events and create and maintain system audit logs.
The order, which is available for public comment over the next 30 day period, requires the hosting provider to implement at least one MFA for all employees, contractors, and staff, as well as third-party affiliates, who have access to hosting service support tools, including connecting with any database.
A second requirement is that all API calls must use HTTPS “or an equivalently secure transfer protocol for all requests,” as well as other security measures.
Or, basic security hygiene.
GoDaddy cannot make false claims about its security and must hire an independent assessor to review their infosec program.
And, did we mention, no fine? If the proposed consent order was finalized after the public comment period and GoDaddy failed to comply with the terms, the business could face civil penalties up to $51,744 per violation. (r)