Two Companies, Two Cyber Enforcement Actions

By Matt Kelly | January 15, 2025 |

These may be the final days of the Biden Administration, but enforcement in cybersecurity still marches onward: two different regulators just sanctioned two different companies for two different types of cybersecurity failure. Let’s take a look.

First is GoDaddy.com, one of the largest web hosting businesses in the world. The Federal Trade Commission spanked GoDaddy on Wednesday for poor cybersecurity practices that could leave customers’ websites vulnerable to attack, and ordered the company to implement an expansive data security program. No monetary penalties, however.

Second is Ashford Inc., an asset management company that caters to high-end hotel businesses. The Securities and Exchange Commission brought civil charges against Ashford on Wednesday too, accusing the firm of making misleading statements in quarterly filings about a data breach it suffered in 2023. Ashford has agreed to pay $115,000 to settle the charges. 

Taken together, the two cases demonstrate the wide, wonderful world of cybersecurity risk that compliance professionals face; and give us a few clues about the processes you need to have in place to avoid stepping on a cybersecurity enforcement landmine. We’ll take GoDaddy first, since it’s the larger and more instructive of the two. 

As described in the FTC’s complaint against the company, GoDaddy had promoted itself as a secure hosting service for customers, and by extension for consumers who visited the websites of those customers. In practice, however, since at least 2018 GoDaddy had flubbed numerous data protection basics, such as management of its IT assets, software updates, risk assessment, and use of multi-factor authentication. 

As a result of those shortcomings, GoDaddy experienced several major compromises of its hosting service from 2019 through 2022, where attackers repeatedly gained access to its customers’ websites and data. All the while, however, the company was also promoting itself to would-be customers as a business whose cybersecurity they could trust. 

Cybersecurity Protection Obligations

Let’s fast-forward to the proposed settlement announced today. GoDaddy must implement a sweeping data security program much like what we’ve seen in other recent FTC enforcement actions, such as the one reached with Marriott International last October

More specifically, GoDaddy must implement the following:

  • A written information security program.
  • Risk assessments performed at least annually, and within 120 days of any significant cybersecurity incident. 
  • A central repository of all IT assets, including both hardware and software, to track any out-of-date software and to generate alerts for any assets that become out of date.
  • Automated systems known as Security Incident and Event Managers to support immediate analysis of security incidents as those threats happen.
  • Multi-factor authentication for all employees and third-party contractors when they’re accessing GoDaddy databases; and provide multi-factor authentication as an option for customers as well.
  • Testing of all security measures at least annually, and within 120 days of any significant cybersecurity incident.

GoDaddy must also undergo an independent review of its security program every other year for the next 20 years; and the company’s CISO (or some other senior executive in charge of cybersecurity) must certify the company’s compliance with the terms of the FTC order every year.

cyberNothing in the GoDaddy order is terribly unusual for FTC cybersecurity enforcement. The order does, however, provide a lot of meaty detail for CISOs, internal auditors, and other risk managers who might want to understand what you should be doing to stay in regulators’ data security good graces. You can practically read the order and compile a checklist for your own data security audit. 

The more interesting point is how you match your actual cybersecurity efforts with the advertisements or other public statements your marketing team makes to the world. That’s what drew the ire of the FTC here. The complaint included numerous examples of GoDaddy advertising that portrayed cybersecurity as a central priority of the business, and I’m sure that was true at least in a theoretical sense. 

The FTC order, however, shows what regulators expect to see for putting that priority into practice — and at least in the FTC’s view, GoDaddy’s practical efforts didn’t align with the promises it made to would-be customers.

Misleading Disclosures to Investors

Now let’s turn to Ashford, the hotel real estate firm that ran afoul of the SEC. As described in the SEC complaint (the settlement awaits final court approval), Ashford suffered a cybersecurity breach in September 2023. The attackers first locked down several computer servers that managed hotel operations for the business; and then made off with 12 terabytes of data stored on Ashford’s internal systems. 

While making a ransomware demand of Ashford, the attackers sent a sample list of the data they stole. That list included file names labeled “guest incident report” and “guest folio” with corresponding customer names or dates of stay — strongly suggesting that the attackers had stolen personal customer data. 

Except, when Ashford disclosed the incident in its next quarterly filing, the company said the attack didn’t pose any loss of customer data. Specifically, from its filing on Nov. 13, 2023:

We have completed an investigation and have identified certain employee information may have been exposed, but we have not identified that any customer information was exposed.

The SEC was not pleased with that statement, which Ashford continued to make in three more quarterly filings. Either the company knew the statement was false or should have known it was, the agency said, and here we are with an enforcement action.

How did all this happen? The SEC faulted Ashford’s incident response program. Yes, the company did have one; but when the attack actually happened, employees didn’t follow the plan as written. Again, from the SEC’s complaint:

Certain Ashford employees whose departments maintained files on the compromised servers were contacted to determine whether the department kept PII on the compromised servers; and if so, whether it related to a customer or employee. Ashford employees who were contacted were not part of the order of notification process listed in Ashford’s [response plan], nor did they review the file trees for the compromised data. Had they reviewed the file trees for the compromised data, they would have seen customer information or would have been alerted to the possibility of customer information within various documents. 

The lesson here is that it’s not enough to draft an incident response plan; companies need to test it, and perhaps even hire an outside consultant who could devise various diabolical schemes that your plan didn’t anticipate. Then you can address whatever weaknesses are brought to light.

After all, we should remember that many SEC enforcement actions around cybersecurity fault the company in question for saying personal data might have been stolen, or otherwise frame the attack in some hypothetical way — when the company either did know data was stolen or should have known that fact. The “should have known” part can be addressed by response plans that are tested and proven to work. 

Anyway, that’s the latest from the cybersecurity enforcement front. Something tells me the drumbeat will continue even after the change of administration next week.

Posted in News and tagged , ,

Leave a Comment

You must be logged in to post a comment.