On Jan. 15, the Federal Trade Commission (FTC) announced a proposed settlement with web hosting giant GoDaddy over alleged violations of Section 5 of the FTC Act. Specifically, the FTC alleged that GoDaddy had violated the FTC Act since 2018 “by failing to implement standard security tools and practices to protect the environment where it hosts customers’ websites and data, and to monitor it for security threats.” The FTC presumed that GoDaddy’s security failures resulted in several major compromises in which threat actors gained access to GoDaddy’s customers’ websites and data.
Consent orders resolving enforcement investigations related to security incidents often contain injunctive relief provisions tied to the “lessons-learned” view of the incident. The compliance obligation from the consent order with GoDaddy that stands out in this area involves application programming interface (API) connections. Based on the FTC’s complaint, API security was implicated in a November 2021 compromise of GoDaddy’s WordPress Managed Hosting service. During the incident, a threat actor used previously compromised credentials to access an internet-facing API that enabled customer service staff to retrieve information on GoDaddy’s customers. The threat actor then accessed data of 1.2 million customers.
The injunctive relief obligations in the consent order contain the typical provisions related to information security policies, controls and procedures in addition to commissioning an independent third-party security risk assessment. The API specific requirements are that for any API GoDaddy develops if the API provides access to any hosting service configuration, administration or covered information. At a minimum, GoDaddy must:
- Use technical controls to require API connections to use HTTPS (or an equivalent security protocol);
- Require all requests to APIs be authenticated using a method that protects authenticity at the session level and includes appropriate protection against session hijacking;
- Use adequate rate-limiting protections for API connections; and
- Monitor API communications traffic to detect attacks and indicators of potential attacks.
Security of API connections is the area that stands out from the FTC’s investigation of GoDaddy, with a focus on APIs that connect to consumer information. Companies seeking to minimize cyber regulatory risk should consider taking the following actions:
- Review and assess your security posture for APIs to account for secure connection, multi-factor authentication and adequate monitoring.
- Update your cybersecurity risk assessments and privacy impact assessments to include targeted questions about API security controls.
- Update your third-party risk due diligence questionnaires to require vendors to disclose their security practices relating to APIs, particularly for those APIs that connect to company data or critical systems.
[View source.]
