Major security failures were the cause of multiple customer data breaches of web hosting giant GoDaddy, the US Federal Trade Commission (FTC) has found.
A proposed FTC settlement order will require GoDaddy to implement a robust information security program to overhaul “unreasonable security practices”.
The FTC also alleged that GoDaddy misled its customers about extent of its data security protections on its website hosting services.
The order will prohibit the firm from making misrepresentations to customers about its security and privacy program in the future.
A description of the consent agreement package will be published in the Federal Register and be subject to public comment for 30 days. After this period a decision will be made whether to make the order final.
The FTC complaint alleges that data breaches were enabled by significant security failings by GoDaddy since 2018. These include failing to:
- Inventory and manage assets and software updates
- Assess risks to its shared hosting services
- Adequately log and monitor security-related events in the hosting environment
- Segment its shared hosting from less-secure environments
GoDaddy has not yet publicly commented on the FTC allegations and proposed settlement agreement.
Multiple GoDaddy Data Breaches
Several major data breaches at GoDaddy between 2019 and 2022 resulted in malicious actors gaining unauthorized access to customers’ websites and data.
In October 2019, a threat actor gained access to GoDaddy’s Shared Hosting environment, likely by taking advantage of an unpatched vulnerability in the Customer-Managed Hosting environment. The breach was not discovered until April 2020.
The attackers compromised approximately 28,000 customer SSH credentials and 199 employee SSH credentials, none of which had multi-factor authentication (MFA). This access allowed the attackers to capture approximately 1000 customer credit card numbers.
In November 2021, GoDaddy revealed that data belonging to up to 1.2 million WordPress customers had been exposed.
The threat actor used previously compromised credentials to access an internet-facing API that enabled customer service staff to retrieve information on GoDaddy’s customers.
In December 2022, parts of GoDaddy’s Shared Hosting environment were once again compromised to steal customer SSH credentials. The attackers used a compromised file that GoDaddy had not removed in remediating the previous compromise. It is suspected that the hacker was the same one responsible for the 2019 compromise.
The FTC said these compromises left GoDaddy customers vulnerable to numerous harms, including:
- Threat actors altering GoDaddy’s customers’ websites in ways that harm their businesses
- Installing malware to steal sensitive information related to the site owners’ customers
- Implanting malicious code on the websites that harms consumers visiting those websites
Dr Ilia Kolochenko, CEO at ImmuniWeb and a Fellow at the British Computer Society (BCS), commented, “GoDaddy has been operating on extremely competitive and price-aggressive web hosting and domain names markets, unsurprisingly being unable to allocate sufficient resources to cybersecurity as stated in the FTC complaint.”
GoDaddy Ordered to Conduct Security Overhaul
GoDaddy will be required to implement a comprehensive information security program that protects its Hosting Service and Covered Information when the FTC settlement order comes into effect.
The web hosting firm will need to implement automated tools to support near real-time analysis of events.
It will also be required to disconnect from the Hosting Service environment all hardware assets with respondent-managed software installed that is no longer supported by a vendor.
MFA will be required for all employees and third parties with access to any Hosting Service supporting tool or asset.
GoDaddy will have to test the effectiveness of its security measures at least once every 12 months and “promptly” undertake such tests following any security incident.
US Regulators Send a Strong Message
The action follows several FTC cases in the past year which have required companies to revamp their security programs.
Many of these cases have involved large financial settlements.
This includes hotel chain Marriott agreeing to pay a $52m settlement to 50 US states for security failings that led to a large multi-year data breach impacting 131.5 million American customers.
Read now: Top 10 Data Protection Fines and Settlements of 2024
Commenting on the GoDaddy case, Kolochenko said the proposed order sends a strong message to web hosting companies about data security requirements.
While GoDaddy has not been slapped with a large financial settlement with the regulator, the cost of implimenting the security measures is likely to be high.
Additionally, non-compliance is likely to result in heavy penalties being issued.
“The history of previous FTC settlements clearly demonstrates the high risk of non-compliance with settlement orders. For instance, the record $5 billion penalty imposed on Facebook in 2019 was a for violation of the previous FTC settlement order with Facebook,” he said.
Kolochenko added: “The FTC is likely aware of this and will certainly keep an eye on GoDaddy: the story is unlikely to end here."
Samuel Levine, Director of the FTC’s Bureau of Consumer Protection, commented: “Millions of companies, particularly small businesses, rely on web hosting providers like GoDaddy to secure the websites that they and their customers rely on.”
He added: “The FTC is acting today to ensure that companies like GoDaddy bolster their security systems to protect consumers around the globe.”
Image credit: Mojahid Mottakin / Shutterstock.com