- The FTC finalized its orders for GoDaddy following security breaches
- The orders are part of an agreed settlement
- GoDaddy has different headlines for different operations
The US Federal and Trade Commission (FTC) has outlined almost a dozen requirements which hosting provider GoDaddy must fulfill in order to settle the charges of data security failings that resulted in multiple data breaches in recent years.
In a 14-page document, the FTC first stated that GoDaddy must no longer misrepresent its security and data protection practices, use of security technologies, or its participation in security and privacy programs (suggesting that the company actually misled users about its security practices).
GoDaddy then has 90 days to implement a comprehensive program that is documented and updated at least once a year (or after an incident), assigns a qualified person responsible, and assesses and manages internal and external security risks, among other things.
Additional requirements
The hosting giant also has 180 days to disconnect or secure unsupported software and hardware, monitor for unauthorized changes to the OS and app files, and to set up “phishing-resistant multi-factor authentication (MFA) for employees, contractors, and customers. APIs need to be secured with HTTPS, authentication, rate-limiting, and monitoring.
Other requirements include third-party security assessments, full cooperation with assessors, annual executive certification, incident reporting, and more.
GoDaddy is one of the best website hosting companies around, serving more than five million customers across the world.
Roughly two years ago, it was discovered that an unknown threat actor had been sitting in GoDaddy’s systems for several years, installing malware, stealing source code, and attacking the company’s customers.
The company’s SEC filing at the time showed the attackers breached GoDaddy’s cPanel shared hosting environment and used that as a launch pad for further attacks. The company described the hackers as a “sophisticated threat actor group”.
The group was eventually spotted in late 2022 when customers started reporting that traffic coming to their websites was being redirected elsewhere.
Via BleepingComputer
Leave a comment