GoDaddy Sued for Unauthorized Domain Name Transfer Following Data Breach


On Thursday, Engage BDR, LLC and Kenneth Kwan filed a complaint in the Central District of California against “American Internet domain registrar and web hosting company” GoDaddy and unnamed individuals associated with it, for the unauthorized transfer of the plaintiffs’ domain name following a data breach.

According to the complaint, in July 2009, Kwan, “on behalf of Engage, purchased the domain name ‘hahajk.com’ through Defendant for a period of five years.” In 2014 and 2019, Kwan renewed the Domain Name with GoDaddy for a period of two and five years, respectively. The plaintiffs claimed that on approximately October 19, 2019, GoDaddy “experienced a security breach that affected approximately 28,000 customer’s hosting accounts including Mr. Kwan’s account in which he purchased and held the Domain Name.” The plaintiffs proffered that this security breach lasted for around six months “before detection by Defendant’s security team on April 23, 2020.” 

Engage claimed that “on or about December 2019, GoDaddy transferred the Domain name out of Mr. Kwan’s account to a third party without his authorization or approval.” The plaintiffs added that the unnamed defendants breached or hacked GoDaddy’s system “got into Mr. Kwan’s account and transferred multiple domain names off under that account, including but not limited to the Domain Name.”

The plaintiffs alleged that GoDaddy, as the registrar of the Domain Name, was obliged to “provide adequate security for Mr. Kwan’s hosting account and the Domain Name”; “provide adequate security mechanisms to protect the Domain Name from an unauthorized transfer to a third party”; “contact Mr. Kwan to obtain authorization to transfer the Domain Name to a third party”; “contact Mr. Kwan to verify any request to transfer the Domain Name to a third party”; “adequately warn Mr. Kwan of the possibility of an unauthorized transfer of the Domain Name to a third party”; and “otherwise exercise due care with respect to the matters alleged in this Complaint.” However, the plaintiffs contended that GoDaddy failed to meet these obligations, which resulted in the unauthorized transfer of the Domain Name. Consequently, the plaintiffs asserted that their “economic relationships with their various partners with regard to the use of the Domain Name were, and continues to be, disrupted.” 

The counts against the defendants include negligence, negligent interference with prospective economic advantage, unfair and fraudulent business practices, and breach of the implied covenant of good faith and fair dealing.

The plaintiffs seek an award for damages, pre- and post-judgment interest, an injunction, and disgorgement. The plaintiffs are represented by The Law Office of Thad M. Scroggins.