The Federal Trade Commission (FTC) will require web hosting giant GoDaddy to implement basic security protections, including HTTPS APIs and mandatory multifactor authentication, to settle charges that it failed to secure its hosting services against attacks since 2018.
FTC says the Arizona-based company’s claims of reasonable security practices also misled millions of web-hosting customers because GoDaddy was instead “blind to vulnerabilities and threats in its hosting environment” due to its failings to implement standard security tools and practices.
The big problem is the company claimed to have robust security measures in place, but lots of basic security practices were found not to be in place, and they had multiple major security breaches over time.
According to a proposed settlement order, the FTC will require GoDaddy to establish a robust information security program and prohibits the company from misleading customers about its security protections. The order also mandates that GoDaddy hire an independent third-party assessor to conduct biennial reviews of its information security program.
It really appears that this was almost tantamount to fraud — where you promise something in writing to customers, but in fact, that is not what you are delivering behind the scenes.
Hopefully it is a major wakeup call to other hosting providers. Promise what you are delivering on, and don’t promise what you are not doing. It is really as simple as that. Independent security audits are certainly a desirable practice to have in place, along with how regularly it is performed.