Last week, Gamin suffered a massive outage that not only prevented its multisport athletes from uploading activities to its servers, but also lost its call center, email system, online chat and even its flyGarmin flight service. Rumor has it that the outage was due to a ransomware attack, but it took Garmin five days to admit that it was indeed a cyber attack.
When the outage began on the morning of July 23, Garmin Connect users were greeted with a “Sorry, we are down for maintenance. Come back soon. “when trying to access the service online or through the Connect mobile apps. The official Garmin account also tweeted a vague and basically unhelpful message:
We̵7;re currently experiencing an outage that affects Garmin Connect, and as a result, the Garmin Connect website and mobile app are down right now. (1/2)
– Garmin (@Garmin) July 23, 2020
After that, another generic “we are sorry” tweeted, along with a very short FAQ on July 25:
We want to extend our sincere apology for the inconvenience caused by the outage to our customers. We hope this FAQ answers some of the questions you have: https://t.co/e3lgtpZ1Ci
– Garmin (@Garmin) July 25, 2020
Overall, it’s not much to go on, and it’s a bad place to be if you’re a Garmin user, especially since the company was just as vague for the next four days.
So what happened?
Ah, that’s the million dollar question, right? The truth is that we are still not safe. There are many speculations and rumors floating around out there, with the most credible (but unconfirmed) source coming from ZDnet. According to author Catalin Cimpanu, Garmin was hit by a ransomware attack called WastedLocker.
Other sources claim that when the attack was discovered, Garmin told all employees – who appear to be working remotely due to the COVID-19 pandemic – to shut down all systems, including the company’s servers (which is why call centers, email and chat services were also down). This was in an attempt to prevent hackers from hijacking the servers and encrypting more data, and effectively shutting down Garmin from its own system as well.
Reports continued to emerge during the five-day break, with many claiming the attack came from the Russian hacker group. Evil Corp with a demand of $ 10 million. But it is also unconfirmed.
Finally, on July 27, Garmin officially acknowledged the cause of the outage, stating that it was “the victim of a cyber attack that encrypted some of our systems on July 23, 2020.” The details are still far less than I feel customers deserve, but there seems to be at least some backing up “ransomware” rumors.
Garmin expects users to trust it with a lot of data – health, location, contacts, tracking and more. The lack of transparency from the company should make all Garmin users out there feel uncomfortable continuing their relationship going forward.
What Garmin did right
While I’m certainly not happy with how Garmin has handled the situation, it’s worth mentioning that some things were handled at least approximately Right.
First, as soon as it realized something was wrong, Garmin shut down its systems. According to rumors, we are talking about everyone who had remote access to the system as well as all servers. That’s why syncing didn’t work – there was nothing to sync with.
The first step was crucial to protecting user data, as Garmin physically removed access to any server that had not yet been affected or hijacked from the attack.
But beyond that, there is not much praise to give Garmin for how it handled the situation.
Where Garmin dropped the ball
If there is one thing that a company that has your private and / or personal information should understand, it is transparency. Let users know if something goes wrong. We have the right to know what happens to our tasks – or even what can happen to our tasks – in a situation like this.
Sure, Garmin included a vague statement in its frequently asked questions about interruptions:
Was my data affected due to the power outage?
Garmin has no indication that this interruption has affected your data, including activity, payment or other personal information.
I guess it’s something, but it’s not enough. Let’s look at a few cases where companies went above and beyond to let their users know what happened while it happened.
In December last year, Wyze experienced a data breach on a test server. This was the company’s fault and it was clearly acknowledged. Wyze went above and beyond to clearly state what happened, how it happened and what data was exposed. The whole situation was bad, but the way Wyze handled it was exemplary.
Another example is the latest Twitter hack. While the whole thing can only be described as a disaster, Twitter did a great job of communicating what happened and then following up on more details as they became available.
And that’s where Garmin screwed up the whole thing – it’s been days because the service was originally deleted. After about five days, the service only recently began to slowly revive. And Garmin’s statement is a graceful dance of words with no real explanation outside of “there was a cyberattack.”
Hell, Garmin couldn’t even email customers about the outage – apart from vague communication via Twitter, the company did nothing to make sure customers knew what was happening. It sucks because if you did not know where to look you were out in the cold. Or even worse – reading potentially erroneous speculations and hearsay from non-subjects found on random websites.
What will Garmin do with this going forward?
There is no word on what really happened. If it was in fact a ransomware attack, did Garmin pay the ransom to get any hijacked information back? If not, how was the situation handled? What measures will be taken to prevent this type of situation in the future?
The last bit is a crucial detail. Whenever a company is the subject of a data breach, it should let its customers know what it will do to prevent this type of attack in the future. But Garmin did not say a word about what it will do. We have no way of knowing if the company will change anything. More staff training? A security consultant from a reputable company? Nothing at all? Who knows.
That’s all Garmin customers deserve to know. We trust them to keep our data safe, and we deserve to know all the details when something happens.
But hey, at least they made sure to include this amount of junk at the end of the press release:
Garmin products are developed on the inside for life on the outside and have revolutionized the aviation, vehicle, fitness, marine and outdoor lifestyles. Garmin believes that every day is an opportunity to renew itself and a chance to strike yesterday.
I do not know how it makes you feel, but as a long time Garmin customer, it feels like a slap in the face to me. This is not the time for a sales pitch.
I have an idea, Garmin: how are you? beat yesterday by improving your security and communication?
So what can you do?
It’s the worst part of a scenario like this – you’re almost powerless to do anything. You can not force Garmin to give up what happened or what it will do to prevent it from happening again.
But you can do what is so often recommended in situations like this: vote with your wallet. Move to a new platform. Remove your data from Garmin and move to something that is hopefully more reliable or trustworthy. There are many other companies out there – such as Wahoo, Polar, Hammerhead and more – that make competing products with Garmin.
The biggest issue here is that none of the competing companies have handled a similar situation as I can imagine. This means that we have no idea who would actually handle it better.
I guess time will tell.