On January 16, 2025, the FTC announced a proposed complaint and consent agreement with one of the largest hosting companies in the world:  GoDaddy.  According to the complaint, the FTC found GoDaddy’s security practices “unreasonable for a company of its size and complexity.”  The proposed complaint requires GoDaddy to undertake a number of security measures, including disconnection of hardware from all no longer supported software.  GoDaddy does not admit or deny any of the allegations of the complaint.

Complaint

GoDaddy offers web hosting services to companies of all sizes, but the complaint primarily focused on the services where companies chose to run their websites on portions of GoDaddy’s environment shared with other companies.  This alternative cost less than dedicated, customer-managed hosting and therefore was favored by small businesses.

The FTC’s complaint alleged that GoDaddy’s security practices were an unfair act or practice under Section 5 of the FTC Act.  The complaint also alleged that GoDaddy’s representations regarding its security were false or misleading, also violating Section 5 of the FTC Act.  According to the complaint, GoDaddy had advertised and promoted its shared hosting services, emphasizing the security measures taken.  According to Paragraph 6 of the FTC’s complaint:

Despite its representations, GoDaddy was blind to vulnerabilities and threats in its hosting environment.  Since 2018, GoDaddy has violated Section 5 of the FTC Act by failing to implement standard security tools and practices to protect the environment where it hosts customers’ websites and data, and to monitor it for security threats.  In particular, GoDaddy failed to:  (a) inventory and manage assets; (b) manage software updates; (c) assess risks to its website hosting services; (d) use multi-factor authentication; (e ) log security-related events; (f) monitor for security threats, including by failing to use software that could actively detect threats from its many logs, and filing to use file integrity monitoring; (g) segment its network; and (h) secure connections to services that provide access to consumer data.

In addition, Paragraph 11 of the FTC’s complaint pointed to GoDaddy’s responsibilities relating to its acquisition activities:

GoDaddy Inc. has directly participated in the security practice failures at issue.  For example, when GoDaddy Inc. acquired a European hosting company, Host Europe Group (“HEG”), it made GoDaddy responsible for HEG’s security.  Many of HEG’s servers were no longer receiving security patches for their software, introducing security risks into GoDaddy.com’s Shared Hosting environment.  By directing GoDaddy.com to take responsibility for these servers, GoDaddy Inc. added security obligations to GoDaddy.com’s security team, and introduced a risk of vulnerabilities that could be exploited by threat actors.

According to the complaint, a threat actor accessed the GoDaddy environment in October of 2019 through the customer-managed side of GoDaddy’s environment, then likely exploited known vulnerabilities on the specialized servers that connected the customer-managed side to the shared side of GoDaddy’s environment, spreading malicious software.  In 2020, a threat actor took down GoDaddy’s home page, and the investigation indicated that the threat actor had been in GoDaddy’s environment for 6 months, undetected by GoDaddy.  The security firm doing the investigation also determined that the threat actor had compromised credentials of over 28,000 customers (compromising  credit card data)  and almost 200 GoDaddy employees (permitting environmental changes), since MFA was not implemented.  In November 2021, customers alerted GoDaddy that the previously-compromised credentials were used to compromise an application in the shared hosting environment.  According to the complaint, the threat actor used the stolen credentials to commit search engine optimization fraud.  In December 2022, the threat actor again compromised customer credentials.

Finally, the complaint stated that GoDaddy had certified that it complied with the EU-US Privacy Shield.  The FTC complaint alleged that GoDaddy’s security issues made the public representations of compliance with Privacy Shield false and misleading.

Proposed Consent

The FTC’s proposed consent contains many requirements that appear in similar agreements from many regulators:  a written information security program with a qualified individual responsible for it; an annual risk assessment; implementation and documentation of controls to address those risks; logging requirements; and implementation of MFA.  The FTC’s proposed consent, however, includes some additional requirements that deserve attention:

  • Within 180 days, GoDaddy must disconnect the hosting service environment from all hardware assets with GoDaddy-managed software that is no longer supported (end-of-life), or, “if disconnection is infeasible, temporarily implement appropriate controls to mitigate threats and document a plan to disconnect the asset or software that includes an appropriate timeline.”
  • Within 90 days, implement and maintain “centralized system component inventories, including of hardware, software and firmware elements, that track out-of-date and vulnerable versions.”
  • With respect to M&A activity, either during due diligence or following the acquisition, GoDaddy must independently test the effectiveness of the safeguards to protect the GoDaddy hosting service where the acquired company/assets would integrate.  The proposed consent also prohibits GoDaddy from integrating any acquired entity’s software or systems into GoDaddy’s network  until “(1) all material risks to the security, confidentiality, and integrity of any Hosting Service identified in such a test are remediated; and (2) such application or information system meets the requirements of this Provision.”

Our Take

The cost of non-compliance with security protocols is not merely the fines that can be imposed by the FTC and others.  In fact, in this case, the FTC did not impose a fine.  The FTC’s requirements on GoDaddy, however, appear to be expensive and likely significantly more costly to GoDaddy than any fine would have been.

The security risks of unsupported software are significant, but it is not always possible to find supported software that meet the functional needs of the organization.  If such software is going to be retained, the risk should be documented and accepted, as well as a plan to mitigate the risk over time (and budgeting for it).  In our experience, this is the type of security risk that some organizations fail to explain to their Boards.

Finally, there are numerous examples of unauthorized actors exploiting M&A activities to obtain access to larger and more sophisticated companies by infiltrating smaller targets.  The consent order makes it clear that the acquiring company needs to take appropriate steps to protect its environment as it integrates new organizations and address failures it identifies as the IT infrastructures are combined.