FTC orders GoDaddy to establish a comprehensive security program

In a May 21 settlement, the Federal Trade Commission (FTC) reached an agreement with GoDaddy to settle allegations that the popular webhosting provider misled its customers by failing to implement data security protections, practices that led to multiple data breaches.The FTC alleged in January 2025 that despite claiming it provides “award-winning security,” GoDaddy failed to implement standard data security tools and practices to protect customer websites and data.For example, the FTC said GoDaddy failed to use multi-factor authentication (MFA), monitor for security threats, and secure connections to its consumer data. These failures led to several data breaches that led bad actors to gain unauthorized access to customer websites and data.Security pros have long been concerned about GoDaddy’s lack of transparency on data breaches that were first made public in the spring of 2020. The concerns are warranted given that GoDaddy boasts roughly 21 million subscribers.  For example, SC Media previously reported it took them at least two years to disclose that the breaches were caused by three separate attacks. Security pros also pointed out over the years that long dwell times indicated poor security practices, as well as a lack of threat hunting.“The FTC’s order against GoDaddy represents a significant shift in regulatory tone — this is no longer just about fines or slap-on-the-wrist guidance,” said Heath Renfrow, co-founder and CISO at Fenix24. “The agency is mandating foundational security practices that should already be standard across the industry, such as MFA, vulnerability management, and secure software practices. The most notable element is the FTC’s insistence on proactive, transparent security governance, this is a good attempt to set a clear precedent.”Under the order finalized by the FTC, GoDaddy was:

Eric Schwake, director of cybersecurity strategy at Salt Security, added that the FTC’s final order against GoDaddy demands a more foundational security program because of the repeated breaches and claims of misrepresenting security practices, marking a significant development.“The concern arises from the breaches and the FTC’s findings that GoDaddy lacked basic security hygiene, especially regarding essential elements like application programming interfaces (APIs),” said Schwake. “This order requires GoDaddy to adopt stringent API security measures, including employing HTTPS for all API communications, enhancing authentication with MFA, and implementing thorough monitoring and rate-limiting.”Schwake said these requirements elevate API security from a recommended practice to a regulatory necessity, highlighting the urgent need for a robust API posture governance strategy to continuously evaluate, appraise, and protect all API assets.“This sets a significant precedent, indicating that regulatory agencies are increasing their scrutiny of organizations’ overall security practices, compelling them to establish comprehensive security programs with a strong focus on their API infrastructure for legal compliance and risk management,” said Schwake.Fenix24’s Renfrow added that what makes this case particularly important is that it highlights the consequence of misleading customers about security capabilities. Renfrow said we’ve seen for too long that marketing claims often outpace actual risk management. By requiring an independent third-party assessment and rapid breach reporting, Renfrow said the FTC has said: “security theater” is no longer acceptable.“I do not believe this will ripple across the tech and hosting industry,” said Renfrow. “Companies that have delayed implementing true security programs or do not understand how to implement a program. There’s no sense of urgency with most companies and a false sense of hope. Unfortunately, this will be a blip on the radar for most.”Lawrence Pingree, vice president at Dispersive, said while he’s also somewhat skeptical, he hoped the FTC’s order on GoDaddy will push more organizations to adopt security programs. Pingree said healthcare organizations especially have been heavily targeted in the past several years.“The time is now to zero-trust your entire environment, no longer plug a system in without more micro segmentation, patching systems should be automatic, and as much as possible automate patching end-to-end and use ransomware protection in backup solutions,” said Pingree. “Gone are the days of ‘that won’t happen to us since we are doing the work of good’ for healthcare organizations.”