GoDaddy, a domain registrar ad one of the world’s largest hosting companies, has been ordered to improve its security by the Federal Trade Commission.
In its complaint, the FTC cites GoDaddy’s marketing “itself as a secure choice for customers to host their websites,” as well as “its commitment to data security and careful threat monitoring practices.” Unfortunately, according to the complaint, GoDaddy failed to live up to its own hype.
In fact, GoDaddy’s data security program was unreasonable for a company of its size and complexity. Despite its representations, GoDaddy was blind to vulnerabilities and threats in its hosting environment. Since 2018, GoDaddy has violated Section 5 of the FTC Act by failing to implement standard security tools and practices to protect the environment where it hosts customers’ websites and data, and to monitor it for security threats. In particular, GoDaddy failed to: (a) inventory and manage assets; (b) manage software updates; (c) assess risks to its website hosting services; (d) use multi-factor authentication; (e) log security-related events; (f) monitor for security threats, including by failing to use software that could actively detect threats from its many logs, and failing to use file integrity monitoring; (g) segment its network; and (h) secure connections to services that provide access to consumer data. These failures made GoDaddy’s representations about security false or misleading.
According to the FTC, these security inadequacies led to multiple data breaches.
As a result of GoDaddy’s data security failures, it experienced several major compromises of its hosting service between 2019 and December 2022, in which threat actors repeatedly gained access to its customers’ websites and data, causing harm to its customers and putting them and visitors to their websites at risk of further harm. GoDaddy’s customers and other consumers could not avoid this harm, and it is not outweighed by benefits to consumers or competition. Even after these compromises of its environment, GoDaddy continues to struggle to gain visibility into its hosting environment and adequately monitor it for threats.
The FTC also calls out GoDaddy for misrepresenting its compliance with the EU-U.S> Privacy Shield framework that regulates the transfer of personal data between the EU and the U.S.
The Department of Commerce (“Commerce”) and the European Commission negotiated the EU-U.S. Privacy Shield framework to provide a mechanism for companies to transfer personal data from the European Union to the United States in a manner consistent with the requirements of European Union law on data protection. The Swiss-U.S. Privacy Shield framework is identical to the EU-U.S. Privacy Shield framework.
To join the EU-U.S. and/or Swiss-U.S. Privacy Shield framework, a company must certify to the United States Department of Commerce that it complies with the Privacy Shield Principles. Participating companies must annually re-certify their compliance. The Privacy Shield frameworks expressly provide that, while decisions by organizations to “enter the Privacy Shield are entirely voluntary, effective compliance is compulsory: organizations that self-certify to the Department and publicly declare their commitment to adhere to the Principles must comply fully with the Principles.”
In particular, companies claiming to adhere to the regulation must meet certain criteria.
Companies under the jurisdiction of the FTC are eligible to join the EU-U.S. and/or Swiss-U.S. Privacy Shield framework. Both frameworks warn companies that claim to have self-certified to the Privacy Shield Principles that failure to comply or otherwise to “fully implement” the Privacy Shield Principles “is enforceable under Section 5 of the Federal Trade Commission Act.”
The Privacy Shield Principles include the following: SECURITY [Principle 4]: (a) Organizations creating, maintaining, using or disseminating personal information must take reasonable and appropriate measures to protect it from loss, misuse and unauthorized access, disclosure, alteration and destruction, taking into due account the risks involved in the processing and the nature of the personal data.
In spite of its obligation to provide reasonable security, the FTC goes on to highlight multiple areas in which GoDaddy failed to do that. The company is accused of failing to adequately inventory and manage its computer assets, failing to apply security patches, failing to address the risks involved in its Shared Hosting packages, failing to properly log security-related events, and failing to adequately engage in security monitoring.
GoDaddy is also accused of not implementing multi-factor authentication, relying on username/password authentication for SSH access instead of more secure authentication methods, and failing to properly segment and isolate its Shared Hosting environment.
As a result of these lapses, GoDaddy has suffered multiple breaches over the years. In addition to the damage caused by the theft of sensitive information, the FTC says GoDaddy customers, as well as others, have suffered as a result of the company’s poor security practices.
GoDaddy’s Shared Hosting customers have also spent time and effort protecting themselves from the consequences of GoDaddy’s practices, including time spent resetting account credentials, restoring compromised websites and certificates, addressing their own customers’ concerns, and other remediation in light of the security incidents described above.
GoDaddy’s Shared Hosting customers are not able to avoid the consequences of GoDaddy’s security failures. Shared Hosting customers do not know detailed information about GoDaddy’s security controls, including which security controls or tools GoDaddy does not use in its Shared Hosting environment. In addition, as described in Paragraphs 12-19, GoDaddy has represented that it provided reasonable security for the Shared Hosting environment, and that it meticulously monitored the environment for security threats.
Consumers who have interacted with GoDaddy’s customers’ websites have also not been able to avoid the consequences of GoDaddy’s security failures. In most cases, consumers who visit GoDaddy’s customers’ sites are unaware that they are interacting with a site or service hosted by GoDaddy.
The harm that GoDaddy’s security failures have caused or are likely to cause is not offset by countervailing benefits to consumers or competition. GoDaddy could have remediated its failures using well-known and low-cost technologies and techniques.
The FTC’s complaint should be a wake-up call to GoDaddy, and will hopefully lead the company to make significant changes to its security and privacy model.
from WebProNews https://ift.tt/31da5Zl
No comments:
Post a Comment