GoDaddy's Cybersecurity Failures: A Wake-Up Call from the FTC

GoDaddy, one of the world’s largest web-hosting providers, has been under fire from the U.S. FTC for failing to implement basic cybersecurity measures since at least 2018. Despite overseeing approximately 82 million domain names and hosting millions of websites, GoDaddy repeatedly neglected fundamental security protocols, putting customer data and website visitors at risk. Yet, despite the severity of these infractions, the internet giant will not face immediate financial penalties.

As exposed in the complaint filed on 15 January 2025, GoDaddy failed to:

• Track and manage software updates adequately, leaving systems exposed to known vulnerabilities
• Analyze threats to its shared hosting services, increasing the risk of widespread attacks
• Log and continuously assess cybersecurity incidents, reducing its ability to detect and respond to breaches
• Separate shared hosting environments from more vulnerable platforms, allowing attackers to move laterally across accounts

In turn, this lax approach led to multiple data breaches, compromising sensitive customer information, including credentials, payment data, and other personally identifiable information. The FTC has also accused GoDaddy of misleading its customers by overstating its security protections, and fostering a false sense of safety regarding their websites and stored data.

Instead of levying an immediate fine, the FTC has proposed a settlement order requiring GoDaddy to implement sweeping cybersecurity reforms. The directive includes a comprehensive information security program that aligns with industry best practices, alongside the prohibition of misleading claims about security practices, ensuring customers receive accurate information. In addition, third-party audits of its cybersecurity improvements will be required every two years.

All these measures echo similar requirements imposed on Marriott, which suffered repeated breaches between 2014 and 2020 due to its inability to improve cybersecurity defenses. The FTC’s decision signals that regulatory agencies are losing patience with large corporations failing to uphold baseline security standards while profiting from their customers’ trust.

But GoDaddy is not the only company that invests in marketing security features but neglects the actual implementation. This gap between perception and reality is dangerous, eroding trust and leaving customers vulnerable. The FTC’s intervention highlights the growing need for stronger regulatory frameworks and more proactive enforcement to ensure tech companies prioritize security as a fundamental responsibility rather than an afterthought.

While the proposed FTC measures could lead to improved security practices, they also pinpoint the reactive nature of cybersecurity enforcement. Companies should not need regulatory intervention to adopt responsible security policies—these should be critical to any web-hosting business. The fact that it took years of repeated breaches and an FTC complaint to force GoDaddy to take action is a stark reminder of the industry's shortcomings.

The consent agreement package will be published in the Federal Register, opening a 30-day period for public comments before finalization. If approved, GoDaddy must overhaul its security posture and submit to ongoing scrutiny. Still, the key question remains: will these mandated reforms be enough to prevent future breaches, or do regulators need to impose harsher consequences—such as financial penalties and executive accountability—to drive change truly?