GoDaddy’s Cybersecurity Failures Exposed

GoDaddy FTC Complaint

Just because a company claims it’s secure doesn’t mean it’s true. The FTC’s recent action against GoDaddy highlights the growing concern over security vulnerabilities with third-party providers. As one of the most widely used web hosting and domain registration companies, GoDaddy is now facing serious allegations of cybersecurity failures.

These failures come after GoDaddy assured customers it was doing all the right things. But the reality paints a different picture.

What Went Wrong

Did you know the FTC prohibits companies from engaging in deceptive practices? That means businesses can’t claim to have top-notch security measures when they don’t. GoDaddy is now in trouble for doing exactly that.

Far from the “award-winning security” it promised, GoDaddy has failed to meet even basic cybersecurity standards. Here are some of the glaring issues:

These lapses explain the string of security incidents that have plagued GoDaddy over the years:

  • 2019–2020: Poor network segmentation exposed sensitive customer data, including website credentials and payment card information.
  • 2021: Compromised API credentials led to the exposure of login details, encryption keys, and other sensitive data for 1.2 million customers, revealing weak internal controls.
  • 2022: Unresolved vulnerabilities from the 2019 breach allowed attackers to redirect website visitors to malicious sites. GoDaddy only discovered this after customer complaints—its internal monitoring failed to catch the issue.

Whether you call this negligence or a cybersecurity disaster, it’s clear GoDaddy’s failures put customers—and their data—at significant risk.

The FTC Takes Action

After years of repeated breaches, the FTC has stepped in to hold GoDaddy accountable. According to the agency, “Since at least 2015, GoDaddy has marketed itself as a secure choice for customers to host their websites… touting its commitment to data security and careful threat monitoring practices.”

The reality? GoDaddy failed to deliver, with critical gaps such as:

  • No asset inventory or management of software updates
  • Inadequate risk assessments
  • Missing MFA and logging tools
  • Poor monitoring for security threats
  • Weak network segmentation

The FTC is now requiring GoDaddy to implement a comprehensive security overhaul to prevent future incidents.

GoDaddy FTC Cybersecurity

GoDaddy’s Response

In response to the FTC’s findings, GoDaddy released a statement outlining its commitment to improving security. The company emphasized that it has already implemented several of the FTC’s mandated measures and intends to go beyond those requirements.

GoDaddy stated, “We are continually investing in, evolving, and improving our security in an effort to stay ahead of emerging threats. We expect minimal financial impact associated with complying with these terms.”

The company also attributed the incidents to “an extremely sophisticated criminal group” and highlighted steps they’ve taken since, including partnering with independent security firms, investing in technology, and training employees to better identify and stop threats.

While GoDaddy did not admit fault or pay fines in this settlement, the company acknowledged its responsibility to protect customer data and promised ongoing improvements.

What GoDaddy Must Fix

To address these failures, the FTC has imposed strict requirements on GoDaddy, including:

  1. Comprehensive Security Program: Document and maintain a program to protect customer data.
  2. Risk Assessments: Conduct annual reviews and post-incident evaluations to identify vulnerabilities.
  3. MFA Implementation: Require phishing-resistant MFA for employees and offer MFA options for customers.
  4. Technical Safeguards: Use centralized tracking for vulnerabilities, real-time monitoring, and secure APIs.
  5. Regular Testing: Perform daily vulnerability scans, annual penetration tests, and post-incident reviews.
  6. Third-Party Oversight: Have external security experts assess their program biennially.

While these measures are necessary, they also reflect basic practices that any company handling sensitive data should already have in place.

The Damage Is Done

For small businesses, GoDaddy’s failures highlight the importance of due diligence when selecting third-party providers. Many businesses chose GoDaddy for its affordability and ease of use, trusting its claims of robust security.

Would you feel comfortable trusting a provider with this track record? For businesses that prioritize cybersecurity, the answer is likely no.

Beyond the fines and reputational damage, GoDaddy’s story is a reminder that trust is earned through action, not marketing.

The Real Cost of Neglecting Cybersecurity

Cutting corners on cybersecurity always comes at a cost. Whether it’s ignorance, cost-saving efforts, or complacency, there’s no excuse for neglecting basic security measures.

GoDaddy may be in the spotlight now, but they’re not alone. Businesses of all sizes fail to prioritize cybersecurity, putting their systems, data, and customers at risk.

Here’s the hard truth: there are no shortcuts. Eventually, vulnerabilities will be exploited. To avoid this, small businesses must:

  • Implement MFA and monitoring tools
  • Keep software and systems updated
  • Conduct regular third-party assessments of their networks

While cybersecurity can seem complex, it’s non-negotiable for the future of your business.

Have Your Own Safeguards In Place

Small businesses often rely on third-party providers for essential services like web hosting. While you can’t avoid third parties altogether, you can protect your business by choosing wisely and implementing your own safeguards.

At Just Solutions Inc., we specialize in website hosting and proactive cybersecurity solutions tailored to small businesses. Whether you need help securing your network, implementing MFA, or finding a hosting provider you can trust, we’re here to make cybersecurity manageable.

Take control of your security today, your business depends on it.

Archives