Garmin's outage, ransomware attack response lacking as earnings loom
Garmin's long-running outage is a case study in how not to handle an IT meltdown and cybersecurity attack and may indicate a longer recovery than expected.
You could almost smell the panic as Garmin dealt with a ransomware attack that brought down numerous systems including Garmin Connect, the software that holds data on your runs, workouts, and activities as well as production systems and call centers. On Sunday morning, July 26, Garmin Fenix smartwatches couldn't offer distance and GPS tracking on runs. Garmin's aviation apps are currently operational, but they're being monitored closely after initial problems.
SEE: Navigating data privacy (ZDNet/TechRepublic special feature) | Download the free PDF version (TechRepublic)
On Monday, July 27, Garmin began restoring services to Garmin Connect. Some functionality was limited, but the basics were working. "We are happy to report that Garmin Connect recovery is underway. We'd like to thank you for your understanding and patience as we restore normal operations," the company said.
Meanwhile, the clock is ticking as Garmin is scheduled to report earnings Wednesday. Customers will want answers, but Wall Street will want more clarity. Garmin's success story and run of strong quarters are going to be overshadowed by its cyberattack.
Also: Garmin: How wearable data can aid COVID-19 treatment, research
Based on Garmin's crisis management since late last Wednesday, July 22, things aren't looking so hot. At first, Garmin met the issues with silence, followed by a short tweet noting problems. On Saturday, July 25, the company shared a vague FAQ that didn't address the big questions. The Garmin Connect status page told the story.
We are currently experiencing an outage that affects Garmin.com and Garmin Connect. This outage also affects our call centers, and we are currently unable to receive any calls, emails or online chats. We are working to resolve this issue as quickly as possible and apologize for this inconvenience.
As of Monday morning, Garmin said that Garmin Connect has returned with limited functionality.
But the focus on Garmin Connect loses the plot. I'm a long-time customer of Garmin and use its devices for runs, quantified self data, and now, metrics such as Body Battery and Pulse Ox. Garmin may take a reputation hit, but Garmin is much more than just fitness wearables and smartwatches. Garmin also operates critical data infrastructure for automotive, aviation, and marine as well as enterprise health.
Must read:
- Garmin's Autoland, Q3 highlights how company's innovation, product cadence pays off
- Garmin acquires Firstbeat Analytics
- Garmin Instinct Solar first look review: Rugged outdoor GPS sports watch powered by the sun
- Garmin data analysis of the global pandemic: Focused activity increases as people adapt to restrictions
Garmin better hope that its woes are due to a ransomware attack forcing it to rebuild systems. Garmin's data would be of interest to a state actor, too.
In other words, Garmin got off easy this time. Next time, Garmin's data could be used for something worse. All you need to recall is how Strava data was able to pinpoint troops and then you realize how valuable Garmin data could be.
Now the Pentagon has banned GPS devices, but the Strava incident gives you an idea of what's possible.
Must read:
- A decade of hacking: The most notable cyber-security events of the 2010s
- Survey: Despite new tactics, companies still face challenges implementing cybersecurity measures
- Free PDF download: Cybersecurity: Let's get tactical
- Most common cyberattacks we'll see in 2020, and how to defend against them
Garmin lays out the security and data risks in its annual report:
We collect, store, process, and use personal information and other user data. Our users' personal information may include, among other information, names, addresses, phone numbers, email addresses, payment account information, height, weight, age, gender, heart rates, sleeping patterns, GPS-based location, and activity patterns. Due to the volume and types of the personal information and data we manage and the nature of our products and applications, the security features of our platform and information systems are critical. If our security measures or applications are breached, are disrupted or fail, unauthorized persons may be able to obtain access to user data. If we or our third-party service providers, business partners, or third-party apps with which our users choose to share their Garmin data were to experience a breach, disruption or failure of systems compromising our users' data or the media suggested that our security measures or those of our third-party service providers were insufficient, our brand and reputation could be adversely affected, use of our products and services could decrease, and we could be exposed to a risk of loss, litigation, and regulatory proceedings. Depending on the nature of the information compromised, in the event of a data breach, disruption or other unauthorized access to our user data, we may also have obligations to notify users about the incident and we may need to provide some form of remedy for the individuals affected by the incident.
Garmin goes on to note that system and data breaches could result in higher costs via security experts, consultants, and remediation costs. Rest assured that Garmin is overrun with security experts and consultants as we speak.
Can Garmin recover? Certainly.
Equifax turned its data breach debacle into new products. Other ransomware attack victims, including some cities, have recovered. Garmin may have just suffered a blip in a long run of innovation, but it will need to step up its security game going forward. All this outage at Garmin proves is that the company is vulnerable to attacks.