Popular domain registrar and web hosting company GoDaddy was slapped with an FTC order mandating a robust information security program for allegedly failing to stop data breaches and misleading customers about its cybersecurity practices.
In January 2025, the Federal Trade Commission (FTC) accused GoDaddy of violating Section 5 of the FTC Act by failing to implement standard security practices on customers’ websites despite touting “award-winning security.”
GoDaddy slapped with FTC order for failing to prevent data breaches
Some of its alleged failures included failing to implement multi-factor authentication (MFA), monitor security threats, and secure customer data transfer.
The FTC complaint also accused the web hosting giant of failing to manage software updates, to segment its network, track its assets, perform file integrity monitoring, or assess risks associated with its web hosting services.
Some of the security faux pas stemmed from a European hosting company, Host Europe Group (HEG), that GoDaddy acquired in 2016 for $1.79 billion, thus becoming responsible for its security. However, HEG’s servers did not receive security updates, affecting GoDaddy’s shared web hosting environment.
In one case, malicious actors breached GoDaddy’s shared hosting cPanel, installed malware, and stole source code, in a multi-year breach.
The Delaware-based company was also accused of failing to comply with the EU-U.S. and Swiss-U.S. Privacy Shield Frameworks while misleading its customers into believing otherwise.
“These failures led to several data breaches that allowed bad actors to gain unauthorized access to customers’ websites and data,” the FTC stated.
Additionally, GoDaddy struggles to gain visibility into its web hosting environment and adequately monitor threats, despite experiencing numerous data breaches between 2019 and 2022.
Subsequently, the FTC order, which passed after a 3-0 vote, directed GoDaddy to refrain from making further misleading statements about complying with “any privacy or security program sponsored by a government, self-regulatory, or standard-setting organization.”
FTC order requires implementation of security measures
The FTC order also required GoDaddy to implement a “comprehensive information-security program” to ensure the security, confidentiality, and integrity of its website-hosting services.
The program requires the implementation of multi-factor authentication for all customers, employees, and contractors, including a method that does not require a phone number by integrating an authenticator app or allowing key-based authentication.
Previously, SMS-based two-factor authentication methods have proven to be unreliable and easily exploitable by cybercriminals utilizing various 2FA code hijacking kits available on the dark web.
“The FTC is making a clear statement here that organizations need to do more to protect their customers from fraud and abuse,” said Thomas Richards, Infrastructure Security Practice Director at Black Duck. “We have seen multiple cases of breaches within the past year where if multi-factor authentication had been used, the breach might not have happened at all.”
Finally, the FTC order requires GoDaddy to retain a third-party assessor to review its information security program once every two years. The company is also required to report data breaches that compromise customer information within 10 days.
“The FTC’s order against GoDaddy represents a significant shift in regulatory tone—this is no longer just about fines or slap-on-the-wrist guidance,” said Heath Renfrow, CISO and Co-founder at Fenix24. “The agency is mandating foundational security practices that should already be standard across the industry, such as multi-factor authentication, vulnerability management, and secure software practices.”
“The most notable element is the FTC’s insistence on proactive, transparent security governance, this is a good attempt to set a clear precedent,” added Renfrow.
Meanwhile, GoDaddy joins a growing list of companies slapped by a similar FTC order mandating a robust information security program after allegedly failing to stop a string of data breaches.
In January 2025, Marriott Hotels received a similar FTC order mandating a robust information security program for failing to prevent data breaches that exposed the personal information of over 344 million people worldwide.
