US consumer advocates want to force web host GoDaddy to improve IT security

The US competition and consumer protection authority FTC (Federal Trade Commission) is taking action against GoDaddy, one of the largest web hosting providers in the world. The independent US regulator is accusing the company of a lack of IT security for web hosting services and misleading promises regarding data protection. Cyberattacks due to weak protection could harm GoDaddy customers and their website visitors. The FTC is therefore demanding that GoDaddy take a number of measures to strengthen its own IT security.

The US authority refers to serious security breaches in the years from 2019 to 2022 in which cybercriminals were able to gain unauthorized access to GoDaddy customers' websites. In December 2022, for example, attackers were able to redirect GoDaddy websites following a cyber intrusion. Visitors to customer websites were sporadically and automatically redirected to malware sites. A year earlier, a GoDaddy data breach affected 1.2 million WordPress customers when cyberattackers were able to gain access to the personal data of these GoDaddy customers. In total, GoDaddy has around 5 million web hosting customers, according to the FTC.

Complaint about inadequate web hosting security

In the official complaint, the FTC's list of “inadequate security practices” includes GoDaddy's failure to inventory and manage assets and software updates, failure to assess risks to its shared hosting services, failure to adequately log and monitor security-related events in the hosting environment, and failure to separate shared hosting from less secure environments. This includes GoDaddy not using multifactor authentication and not using software to check log files for possible threats.

The FTC also accuses GoDaddy of misleading customers by making misleading statements on its website, in emails or in advertising on social networks. The web host refers to the “appropriate security” of its services and that GoDaddy complies with data protection framework agreements between the USA and the EU and Switzerland. These require companies to take “reasonable and appropriate measures to protect personal data”. In the FTC's opinion, GoDaddy's statements are not accurate.

In addition to the expansion of IT security, the FTC also requires GoDaddy to commission an external expert to independently review the company's IT security. This is to take place after the initial measures have been implemented and every two years in the future

C settlement proposal

At the same time, the FTC is making a settlement proposal. According to this, the complaint will be settled if GoDaddy implements a “comprehensive data security program”. This is based on similar FTC cases, such as with Marriott. In April 2024, the hotel chain was forced to admit in court proceedings that the data of 500 million victims captured in cyberattacks not encrypted by Marriott. At the end of last year , the hotel chain reached an agreement with the FTC on a “comprehensive information security program” that Marriott must implement.

“Millions of businesses, especially small businesses, rely on web hosting providers like GoDaddy to secure the websites they and their customers depend on,” said Samuel Levine, director of the FTC's Bureau of Consumer Protection. “The FTC is taking action today to ensure that companies like GoDaddy strengthen their security systems to protect consumers around the world.”

(fds)