Source URL: https://www.theregister.com/2025/01/15/godaddy_ftc_order/
Source: The Register
Title: GoDaddy slapped with wet lettuce for years of lax security and ‘several major breaches’
Feedly Summary: Watchdog alleged it had no SIEM or MFA, orders rapid adoption of basic infosec tools
GoDaddy has failed to protect its web-hosting platform with even basic infosec tools and practices since 2018, according to the FTC, but the internet giant won’t face any immediate consequences for its many alleged acts of omission.…
AI Summary and Description: Yes
**Summary:**
GoDaddy is facing scrutiny from the FTC for failing to implement basic information security measures to protect its web-hosting platform since 2018. The FTC’s complaint outlines numerous security failures, leading to significant data compromises affecting customers. A proposed settlement requires GoDaddy to create a comprehensive information security program, but no immediate fines are involved.
**Detailed Description:**
The situation surrounding GoDaddy’s information security practices has drawn attention due to the severity of the allegations made by the FTC. The following points highlight the key elements of the complaint and the implications for security practices in the industry:
– **Security Failures:** The FTC has noted GoDaddy’s failure to apply fundamental security measures, including:
– Inadequate asset and inventory management
– Lack of software patching
– Insufficient risk assessments
– Absence of multi-factor authentication (MFA)
– Poor logging of security events
– Inadequate threat monitoring
– Weak network segmentation
– Failure to secure connections to services providing access to consumer data
– **Data Compromises:** Due to these security failures, GoDaddy has suffered multiple major data breaches from 2019 to December 2022, jeopardizing its customers’ websites and personal data. The FTC’s stance suggests that customers were misled regarding the actual security protections in place.
– **Proposed Settlement:** A settlement has been proposed which necessitates GoDaddy to:
– Establish a comprehensive information security program within 90 days.
– Create a centralized inventory of all hardware, software, and firmware.
– Implement automated tools for real-time event analysis, like Security Information and Event Management (SIEM) systems.
– Ensure that multi-factor authentication is deployed for all personnel with access to hosting services.
– Guarantee secure API communications using HTTPS or an equivalent protocol.
– **Compliance Requirements:** The order stipulates several compliance requirements, including:
– The prohibition of misleading statements regarding security practices.
– The engagement of a third-party auditor to evaluate the effectiveness of GoDaddy’s information security program.
– **Lack of Fines:** Notably, there are no immediate financial penalties unless GoDaddy fails to comply with the settlement’s terms, which may result in significant civil penalties.
The case emphasizes the importance of maintaining robust security practices in the web-hosting industry and serves as a stark reminder for organizations to prioritize information security and compliance to protect their users effectively. Security professionals in the field should take note of the regulatory expectations outlined and ensure adherence to established security frameworks to avoid similar scrutiny.