Significant Go Daddy Security Flaw

GoDaddy (GDDY) Market Cap $11.6Bn, added 1.4million customers in 2020, twice that of 2019. This takes the total number of customers, largely small businesses around the world using their domain and hosting services to 21 million. On announcing the latest results, CFO Ray Winborne vowed to continue to lean in on product and marketing to drive acceleration.

In this world safety is paramount; protecting commerce from the increasingly challenging threat of cyber security. Government agencies at all levels, large organisations, critical infrastructure providers, small to medium enterprises, families and individuals are all targeted ,predominantly by criminals or state actors. Cryptomining, data spill, denial of service, hacking, identity theft, malicious insiders and malware top the list of threats. A hosting service such as that provided by Go Daddy should be all over it.

Charles Beadnall runs technology, with Demitrius Comes reporting into him with responsibility for Security Officer, a role he had never held prior to his appointment, other than am 8 month spell as a software engineer within IBM’s Internet Security systems in 2000.

To manage information security, Go Daddy offers its customers backup and recovery services. Snaps shots of the database and files are taken daily and kept for 30 days such that in the event of a disaster, the system can be restored to known safe point. These files are kept on the same computer as the production system. This is a massive breach of information security 101. Best in Class has these files off site and off network. This enables an entire network or cloud segment to be destroyed and recovered. Go Daddy ignores this principle.

Last week a Moroku service, held on GoDaddy was subject to malware attack. This not only took the service through its infection but all of the backups, meaning that the service had to be rebuilt from scratch, from a clean piece of paper. Furthermore, it was only discovered that the backups were infected after an attempt to recover them. Scanning these backups for malware was not option, leading the GoDaddy team to operate a Russian roulette attempt to just try and restore them and see what happened, further exacerbating the opportunity of the Malware to spread around the internet.

Malware attacks seem to get more sophisticated every year. Because malware is often difficult to detect, and devices are typically infected without the user even noticing, it can be one of the primary threats to information and identity. That it took GoDaddy a number of days to detect the problem and then be unable to recover is mind boggling. This is unacceptable from a hosting provider, where trusting nothing is the order of the day, let alone one of GoDaddy’s standing. Charles and Demitrius should both be fired with immediate effect.