GoDaddy is an American domain registrar and web creating and hosting company. As reported at the beginning of 2021, the number of customers of the company was 20.6 million, and has likely increased since as statistics show. As part of its services, GoDaddy offers domain names suited to the requirements of a new company, hosts websites on WordPress as a service provider, creates websites and e-shops depending on the needs of its clients. It also offers various marketing tools (i.e., e-mail and Microsoft 365). On the 17th of November 2021, GoDaddy publicly announced the data breach it suffered by a third party accessing the hosting environment of GoDaddy’s Managed WordPress. More specifically, it was discovered that the third party had gained access since early September, when the first access was noted. The breach resulted in 1.2 million of GoDaddy’s active as well as inactive users having their e-mail addresses, customer numbers, and their WordPress admin passwords exposed. GoDaddy’s Secure File Transfer Protocol and database’s usernames and passwords were also compromised. This article outlines the steps that organisations can take to build security mechanisms that will better safeguard their systems from these and similar types of breaches.
Unauthorised access and managed hosting environments
Article 4 (12) of the GDPR defines a personal data breach as ‘a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored or otherwise processed’.
With 2021 being a record year for data breaches, the GoDaddy data breach emphasises the importance in the protection of personal data: security risks caused by a malicious third party which fall under the broader category of threats against data. According to ENISA’s Threat Landscape 2021, 83% of all the data breaches in the information sector follow the patterns of system intrusion, web application attacks and errors. When threats against data occur, 60% of the compromised data is credentials and 50% of same data is personal data. The data breach suffered by GoDaddy involves the compromise of credentials as well as the exposure of GoDaddy’s users’ personal data (i.e., e-mail address, customer number).
It is worth mentioning that, among other potential security factors which ultimately led to the data breach, the managed hosting environment of GoDaddy played a great role. More specifically, organisations that outsource their network security to external managed service providers (MSPs), run the risk of the latter falling under the ‘moral hazard problem’ and becoming disincentivised in providing adequate cybersecurity to their clients. The risk of a company’s hosting environment becoming compromised becomes even greater when the company is handling sensitive personal identifiable information (PII). However, it is noteworthy that such a risk can be sufficiently mitigated with a Service Level Agreement (SLA) being in place between the company and the managed service provider. An SLA in place with your service provider(s) ensures confidentiality, data integrity and the ability to protect your organisation against a potential data security breach.
How can you adequately protect your own business or service?
The COVID-19 pandemic has intensified the need for digitalisation and has undeniably given rise to more cyber security related incidents. The more organisations, service or software providers or public institutions rely on electronic means, the more vulnerable they become to cyber-attacks and malicious online activities. Hence, the below become prerequisites for the protection of your business and/or service:
- Ensuring that your contractual relationships with external service providers are governed by legal instruments or acts,
- Implementing processes and controls with respect to third party privileged users,
- Employing authentication mechanisms and
- Monitoring activity in order to detect and investigate suspicious events
Trilateral’s Data Protection and Cyber-Risk Team has significant experience consulting organisations and other entities in advanced data management and compliance as well as supporting experts working within research, businesses or regulatory bodies to advance knowledge and practice on responsible data practices. For more information, please feel free to contact our advisers, who would be more than happy to help.