FTC Mandates GoDaddy Security Overhaul: What It Means for You

The Federal Trade Commission (FTC) has taken decisive action to enhance the security of GoDaddy’s hosting services following a series of data breaches that exposed vulnerabilities in their systems. This move comes after the FTC identified significant lapses in GoDaddy’s security practices, including inadequate asset management and delayed software updates, which were highlighted in the FTC’s complaint. The order mandates a comprehensive overhaul of GoDaddy’s security protocols, aiming to protect the integrity and confidentiality of customer data. This initiative not only addresses past failings but also sets a new standard for security in the web hosting industry, emphasizing the importance of robust risk assessments and real-time monitoring as detailed by the FTC.

GoDaddy’s Security Overhaul: What It Means for You

Enhanced Information Security Program

The Federal Trade Commission (FTC) has mandated that GoDaddy implement a comprehensive information security program to address its previous security failings. This program is designed to protect the security, confidentiality, and integrity of its services. The overhaul includes several critical components:

1. Asset Management and Software Updates: GoDaddy is required to improve its asset management and ensure timely software updates. Asset management involves keeping an accurate inventory of all assets, like servers and software, to ensure they are up-to-date and secure. According to the FTC’s complaint, GoDaddy’s failure to manage assets and software updates contributed significantly to past security breaches.

2. Risk Assessments: The company must conduct thorough risk assessments for its shared hosting services. This involves identifying potential threats and vulnerabilities and implementing measures to mitigate them. The FTC highlighted the lack of proper risk assessments as a factor in the security breaches experienced by GoDaddy between 2019 and 2022.

3. Monitoring and Logging: GoDaddy is now required to monitor its hosting environments for security-related events actively. This includes implementing robust logging mechanisms to track and respond to potential threats in real-time. The absence of effective monitoring and logging was a significant oversight in GoDaddy’s previous security practices, as noted in the FTC’s findings.

Multi-Factor Authentication (MFA)

A crucial aspect of the security overhaul is the implementation of mandatory multi-factor authentication (MFA) for all customers, employees, and contractors. MFA adds an extra layer of security by requiring users to provide two or more verification factors to gain access to a resource, such as a password and a code sent to a mobile device. The FTC order specifies that at least one method of MFA should not require a telephone number, allowing for the use of authentication applications or security keys. This change is expected to significantly reduce the risk of unauthorized access to customer accounts and data.

Independent Third-Party Assessments

To ensure compliance with the new security measures, GoDaddy must hire an independent third-party assessor to conduct biennial reviews of its information security program. These assessments will evaluate the effectiveness of the security measures in place and identify any areas for improvement. The FTC has emphasized the importance of these independent assessments in maintaining a high standard of security and accountability.

Incident Reporting Protocols

Under the FTC’s order, GoDaddy is required to report any incidents where customer data is exposed, accessed, or stolen within 10 days. This prompt reporting is intended to ensure transparency and allow affected customers to take necessary precautions. The FTC has criticized GoDaddy in the past for delays in disclosing security breaches, which left customers vulnerable to further attacks.

Prohibition on Misleading Security Claims

The FTC’s order prohibits GoDaddy from making misleading claims about its security practices. This includes representations on its websites, email communications, and social media advertisements. The FTC found that GoDaddy had previously misled customers by claiming to offer “award-winning security” while failing to implement basic data protection measures. This prohibition aims to ensure that customers have accurate information about the security of their hosting services.

Impact on Customers and the Industry

The security overhaul mandated by the FTC is expected to have a significant impact on GoDaddy’s customers and the broader web hosting industry. For customers, the enhanced security measures provide greater assurance that their websites and data are protected against unauthorized access and cyber threats. The requirement for MFA and improved incident reporting protocols will empower customers to take proactive steps in safeguarding their accounts.

For the industry, the FTC’s action against GoDaddy sets a precedent for the level of security expected from web hosting companies. It underscores the importance of robust security practices and the need for transparency in communicating security measures to customers. The FTC’s settlement with GoDaddy serves as a reminder that companies must prioritize data protection and be accountable for their security practices.

In conclusion, the FTC’s order requiring GoDaddy to secure its hosting services represents a significant step towards improving the security of web hosting environments. The comprehensive security program, mandatory MFA, independent assessments, and enhanced incident reporting protocols are all measures designed to protect customers and restore trust in GoDaddy’s services. As the company implements these changes, it will be crucial for customers to stay informed and take advantage of the enhanced security features to safeguard their online presence.

Final Thoughts

The FTC’s order requiring GoDaddy to enhance its security measures marks a pivotal moment for the web hosting industry. By implementing a comprehensive security program, mandatory multi-factor authentication, and independent third-party assessments, GoDaddy is poised to restore trust among its customers. These changes, as outlined by the FTC, are expected to significantly reduce the risk of unauthorized access and data breaches. Moreover, the prohibition on misleading security claims ensures transparency and accountability, setting a precedent for other companies in the industry. As GoDaddy moves forward with these improvements, it is crucial for customers to remain vigilant and leverage the enhanced security features to protect their online presence, as emphasized in the FTC’s settlement.

References

• FTC takes action against GoDaddy for alleged lax data security in its website hosting services, 2025, Federal Trade Commission https://www.ftc.gov/news-events/news/press-releases/2025/01/ftc-takes-action-against-godaddy-alleged-lax-data-security-its-website-hosting-services
• FTC mandates security overhaul at GoDaddy after data breaches, 2025, Tech Monitor https://www.techmonitor.ai/technology/cybersecurity/ftc-mandates-security-overhaul-godaddy-data-breaches
• FTC finalizes order requiring GoDaddy to secure hosting services, 2025, Bleeping Computer https://www.bleepingcomputer.com/news/security/ftc-finalizes-order-requiring-godaddy-to-secure-hosting-services/
• GoDaddy reaches settlement with FTC over data security failures, 2025, GRC Report https://www.grcreport.com/post/godaddy-reaches-settlement-with-ftc-over-data-security-failures
• GoDaddy to improve data security practices under FTC settlement, 2025, Morningstar https://www.morningstar.com/news/dow-jones/2025011510014/godaddy-to-improve-data-security-practices-under-ftc-settlement-update
• GoDaddy security failings lead to FTC settlement, 2025, InfoSecurity Magazine https://www.infosecurity-magazine.com/news/godaddy-security-failings-ftc/