Safeguarding our customers’ data and websites is incredibly important to GoDaddy. We are continually investing in, evolving and improving our security in an effort to stay ahead of emerging threats. We recently reached an agreement with the U.S. Federal Trade Commission (FTC) related to previous security incidents. In the settlement, we did not admit any fault or pay any monetary fines or penalties. We agreed to put in place certain security requirements, a number of which we have already implemented. We expect minimal financial impact associated with complying with these terms. Given our ongoing investment in our people and security systems, we plan to continue to make improvements beyond these requirements.
As background, in early 2020, GoDaddy notified customers about two security incidents. The first one occurred in March 2020 and involved an account takeover of a high-profile domain name account. The second was disclosed in April 2020 and primarily involved a small subset of our hosting customers’ login credentials. We believe the unauthorized intrusion was perpetrated by an extremely sophisticated criminal group, potentially using undisclosed vulnerabilities to gain access to our network.
During the course of the FTC investigation, we cooperated and answered questions they had about our systems, security processes and other developments. Since these incidents, we have reviewed the security of our hosting environment and engaged outside experts to help us better understand the nature of the incidents.
We have invested in our security systems and continue to do so to help keep our customers, their websites and their data safe. We provide rigorous training for our employees to help them identify and stop potential threats. As we move forward, we plan to continue making improvements beyond the FTC's order to help provide additional protection for our customers in an effort to stay ahead of bad actors.
FAQ
1. What prompted the FTC to investigate GoDaddy?
The FTC initiated its investigation regarding GoDaddy security practices after two incidents that we notified customers about around the same time. The first incident occurred in March 2020 and involved an account takeover of a high-profile domain name account. The second incident was disclosed in April 2020 and primarily involved a small portion of our hosting customers login credentials. Both incidents attracted media attention, and the FTC subsequently contacted GoDaddy regarding its security practices.
2. How are you preventing it from happening again?
We partnered with several independent security firms, including Mandiant, to improve the security of our network. Additionally, we continue to make significant investments in our people and technology to enhance our defenses and to help protect our customers.
3. Has the FTC levied any fines against GoDaddy in connection with this settlement?
No. The FTC announced no fines or other financial penalties as a result of its investigation and subsequent agreement with GoDaddy. We expect minimal financial impact associated with complying with the terms of the agreement with the FTC.
4. What measures is GoDaddy taking to enhance its cybersecurity controls following this investigation?
GoDaddy is continually evolving and improving its security to help keep our customers and their data safe. We invest significantly in our people through required training and providing the tools they need to be successful. From a technology standpoint, we are continually reviewing new products and services to improve our protection. Additionally, we regularly conduct internal and external audits.
5. Do any of GoDaddy’s recent reductions in force limit your ability to fix these issues?
No. The FTC investigation began after two incidents we disclosed in the spring of 2020. Since then, we have continued to make significant investments in our people and technology to enhance our defenses. As cybercriminals evolve their approach, GoDaddy will continue to work to fortify the company's systems against these attacks.
6. Will there be any further investigations or actions by the FTC as a result of this case?
While the agreement requires ongoing obligations (such as third-party audits, etc.), the order, when finalized, “resolve(s) the allegations” that the FTC claimed as part of its investigation.
