The Federal Trade Commission (FTC) will require web hosting giant GoDaddy to implement basic security protections, such as multi-factor authentication and HTTPS APIs, to settle charges that it failed to secure its hosting services against attacks since 2018.
FTC says the Arizona-based company's claims of reasonable security practices also misled millions of web-hosting customers because GoDaddy was instead "blind to vulnerabilities and threats in its hosting environment" due to its failings to implement standard security tools and practices.
"Millions of companies, particularly small businesses, rely on web hosting providers like GoDaddy to secure the websites that they and their customers rely on,"
said Samuel Levine, Director of the FTC's Bureau of Consumer Protection.
"The FTC is acting today to ensure that companies like GoDaddy bolster their security systems to protect consumers around the globe."
According to the FTC's
complaint, GoDaddy's unreasonable security practices included failing to use multi-factor authentication (MFA), manage software updates, log security-related events, segment its network, monitor for security threats (including by failing to use software that could actively detect threats from its many logs), and use file integrity monitoring.
The company also failed to inventory and manage assets, assess risks to its website hosting services, and secure connections to services that provide access to consumer data.
