The US International Trade Commission (ITC) has issued a scathing complaint against web-hosting giant GoDaddy, accusing the company of failing to implement basic cybersecurity tools and practices since 2018.

What Is the ITC, and What Is the Complaint?

The ITC is a US federal agency responsible for enforcing trade laws, addressing unfair trade practices, and protecting industries from harm. Although its remit typically covers trade-related matters, it has increasingly expanded its oversight to include consumer protection, particularly in cases where corporate failings have broader implications for commerce and public interest.

In a recent formal complaint, the ITC alleged that GoDaddy violated Section 5 of the Federal Trade Commission Act, which prohibits unfair or deceptive business practices. Despite marketing itself as a secure and reliable hosting provider, GoDaddy (according to the ITC) failed to live up to its claims, thereby leaving millions of customer websites vulnerable, resulting in multiple security breaches and significant data compromises.

The Allegations in More Detail

The ITC’s complaint paints a troubling picture of GoDaddy’s cybersecurity practices (or lack of them). It accuses the company of failing to implement even the most rudimentary safeguards to protect its hosting environment. Among the lapses cited by the ITC are the absence of essential measures such as multi-factor authentication (MFA), proper asset inventory, and robust threat monitoring.

Specifically, the ITC’s complaint (published online) identified the following failings:

– No centralised asset management. As of 2020, GoDaddy had visibility over only 15,000 devices out of the approximately 450,000 in its environment.

– Irregular patch management. Despite a policy requiring critical updates to be applied within 30 days, GoDaddy relied on scattered teams to handle patches with no central oversight, leading to unpatched vulnerabilities across thousands of servers.

– Inadequate logging and monitoring. Security-related events were inconsistently logged, making it difficult to investigate breaches or suspicious activity.

– Weak authentication practices. The company relied on username/password combinations without requiring MFA for privileged accounts until 2020, thereby exposing sensitive systems to unauthorised access.

– Network mismanagement. A lack of segmentation between shared hosting and other services enabled threat actors to move laterally within GoDaddy’s infrastructure.

– API insecurity. GoDaddy’s APIs, critical for managing customer data, used outdated protocols, such as plaintext credentials, leaving them highly susceptible to interception and exploitation.

A History of Breaches and Consequences

The ITC report also details several high-profile security incidents that occurred under GoDaddy’s watch, starting back in 2019. The ITC alleges that these breaches highlight the tangible risks posed by the company’s inadequate security measures.

The 2019-2020 Breaches

A breach in October 2019 saw attackers exploit vulnerabilities in GoDaddy’s infrastructure to move laterally into its shared hosting environment. Threat actors replaced critical server files with malicious versions, ultimately compromising customer and employee login credentials. Shockingly, these intrusions went undetected for six months until another unrelated event in March 2020 prompted an external security audit.

During this time, attackers reportedly stole credentials for over 28,000 customer accounts and 199 employees, gaining administrative access to key systems. The breach also involved the theft of approximately 1,000 payment card details.

2021 WordPress API Breach

In November 2021, GoDaddy discovered another breach targeting its Managed WordPress hosting service. This time, attackers exploited an exposed API, obtaining data for 1.2 million customers, including email addresses, private encryption keys, and login credentials for WordPress and database management tools. Evidence suggests the attackers used this access to plant malware and commit search engine optimisation (SEO) fraud, misleading visitors and search engines alike.

2022 Malware Resurgence

The most recent breach, in December 2022, saw the same threat actors return to exploit remnants of the 2019-2020 compromise. This time, attackers deployed malware that redirected visitors to customers’ websites to malicious destinations, such as phishing pages or explicit content. Despite the repeated nature of these attacks, the ITC alleges that GoDaddy failed to proactively detect the intrusion, learning of it only through customer complaints.

Impact on Customers and the Broader Ecosystem

The consequences of GoDaddy’s (alleged) failings have been far-reaching. Small businesses that rely on its hosting services have endured significant disruptions, including compromised websites, stolen customer data, and tarnished reputations. Some customers have faced financial fraud or identity theft, while others have spent substantial time and resources remediating the damage caused by breaches.

The ITC’s complaint makes the point that these harms were entirely avoidable had GoDaddy employed widely available, low-cost security measures. Also, it accuses the company of misleading customers by marketing its services as secure while failing to back these claims with appropriate protections.

GoDaddy’s Response and the Way Forward

In response to the ITC’s allegations, GoDaddy has neither admitted nor denied the charges but has agreed to implement a comprehensive security overhaul. This includes creating a centralised inventory of its hardware and software, adopting SIEM (Security Information and Event Management) tools for real-time threat detection, and enforcing MFA across all privileged accounts.

A spokesperson for the company stated: “We are committed to safeguarding our customers’ data and continually improving our security posture. Many of the measures outlined in the settlement are already underway.”

The Settlement

Despite the gravity of the accusations and the scale of harm outlined in the ITC’s complaint, the settlement agreement struck with GoDaddy has left some questioning its adequacy. Under the terms of the proposed deal, GoDaddy must implement sweeping improvements to its cybersecurity practices. This includes undergoing regular, independent third-party assessments of its security programme and adhering to a ban on making deceptive claims about its data protection efforts in the future.

Notably, the ITC has not imposed any fines but has warned that future violations could result in penalties of up to $51,744 per breach.

What’s Next?

The ITC has opened the settlement for public comment, and its finalisation will mark a critical juncture for GoDaddy. The case serves as a cautionary tale for other companies, demonstrating the risks of neglecting cybersecurity in an increasingly hostile digital landscape.

What If You’re A Business Customer of GoDaddy’s?

For businesses that rely on GoDaddy’s hosting services, the revelations in the ITC’s complaint may understandably be a little unsettling. Many may now be questioning whether their websites or customer data were compromised in the breaches. Those who suspect they have been affected can review communications from GoDaddy, as the company has stated that it notified impacted customers following major incidents. Also, another option for businesses may be to engage independent security experts to audit their sites and data for any lingering vulnerabilities. Moving forward, customers will need to think carefully about whether GoDaddy’s promised security enhancements can restore their confidence or if alternative hosting providers may better meet their needs.

What Does This Mean For Your Business?

As one of the largest web-hosting providers, GoDaddy holds a significant position of responsibility, safeguarding not only its customers but also the broader ecosystem of internet users who interact with its hosted websites. The ITC’s findings, therefore, paint a very concerning picture of (allegedly) some very basic and systemic failures in cybersecurity practices over several years, leading to serious breaches that have impacted countless businesses and their customers.

For GoDaddy, the settlement offers a chance to repair its reputation and demonstrate a renewed commitment to cybersecurity. Although the lack of financial penalties has been surprising to some, it appears to be more of a case of getting some swift remedial action rather than prolonged litigation. However, it is understandable that some stakeholders may view the resolution as lenient, given the scale of the alleged failings and the potential harm caused. The onus is clearly now on GoDaddy to follow through on its promises and implement the sweeping changes outlined in the settlement.

For businesses affected by the breaches, the road to recovery may be a long and complex one. While GoDaddy’s notification efforts and security improvements may offer some reassurance, the damage to customer trust and the potential for lingering vulnerabilities remain pressing concerns. Businesses should, perhaps, weigh the risks and benefits of continuing their reliance on GoDaddy and consider proactive steps to safeguard their operations, regardless of the hosting provider they choose.

This case serves as a wake-up call for the entire tech industry, underscoring the need for vigilance in an era of evolving cyber threats. Basic security hygiene, while often viewed as a standard requirement, is essential to maintaining trust and preventing harm on a global scale. For organisations of GoDaddy’s stature, the stakes are even higher, as lapses in security can reverberate far beyond their own systems.

The ITC’s intervention, therefore, not only holds GoDaddy to account in some way but also sends a clear message to the industry, i.e. that data protection and cybersecurity are not optional. As businesses and consumers alike navigate the fallout, the hope is that this episode will lead to meaningful changes, not just for GoDaddy but for the industry as a whole, ensuring a more secure digital landscape for everyone.