Last week, Gamin suffered a massive outage that not only prevented its multisport athletes from uploading activities to its servers, but also took down its call center, email system, online chat, and even its flyGarmin aviation service. Rumor has it that the outage was due to a ransomware attack, but it took Garmin five days to acknowledge that it was indeed a cyber attack.
When the outage started on the morning of July 23rd, Garmin Connect users were greeted with a “Sorry, we’re down for maintenance. Check back shortly.” message when trying to access the service online or through the Connect mobile apps. The official Garmin account tweeted a vague and basically unhelpful message as well:
We are currently experiencing an outage that affects Garmin Connect, and as a result, the Garmin Connect website and mobile app are down at this time. (1/2)
— Garmin (@Garmin) July 23, 2020
After that, another generic “we’re sorry” tweet, along with a very brief FAQ on July 25th:
We want to extend our sincerest apology for the inconvenience the outage has caused for our customers. We hope this FAQ answers some of the questions you have: https://t.co/e3lgtpZ1Ci
— Garmin (@Garmin) July 25, 2020
Overall, that’s not a lot to go on, and that’s a bad place to be in if you’re a Garmin user, especially because the company was equally as vague for the following four days.
So, What Happened?
Ah, that’s the million-dollar question, isn’t it? The truth is, we’re still not sure. There’s a lot of speculation and rumor floating around out there, with the most credible (but unconfirmed) source coming from ZDnet. According to writer Catalin Cimpanu, Garmin was hit by a ransomware attack called WastedLocker.
Other sources claim that once the attack was discovered, Garmin told all employees—who seem to be working remotely due to the COVID-19 pandemic—to shut down all systems, including the company’s servers (which is why the call center, email, and chat services were also down). This was in an effort to keep the hackers from hijacking the servers and encrypting more data, effectively shutting Garmin out of its own system as well.
Reports continued to surface over the five-day outage, many claiming the attack came from Russian hacker group Evil Corp with a $10 million U.S. dollar demand. But that’s also unconfirmed.
Finally, on July 27th, Garmin officially acknowledged the cause of the outage, stating that it was “the victim of a cyber attack that encrypted some of our systems on July 23, 2020.” The details are still far scanter than I feel like customers deserve, but that seems to at least somewhat back up the “ransomware” rumors.
Garmin expects users to trust it with a lot of data—health, location, contacts, tracking, and a whole lot more. The lack of transparency from the company should make every Garmin user out there feel uneasy about continuing their relationship moving forward.
What Garmin Did Right
While I’m admittedly not happy with how Garmin has handled the situation, it’s worth mentioning that some things were handled at least kind of right.
For starters, as soon it was realized that something wasn’t right, Garmin shut down its systems. According to rumor, we’re talking about anyone who had remote access to the system as well as all the servers. That’s why sync didn’t work—there was nothing to sync to.
That first step was crucial to protecting user data, as Garmin physically removed access to any server that hadn’t yet been affected or hijacked from the attack.
Past that, though, there’s not a lot of praise to give Garmin in how it handled the situation.
Where Garmin Dropped the Ball
If there’s one thing a company that has your private and/or personal data should understand, it’s transparency. If something goes awry, let users know. We have a right to know what’s going on with our data—or even what could potentially happen to our data—in a situation like this.
Sure, Garmin included a vague statement in its Outage FAQ:
Was my data impacted as a result of the outage?
Garmin has no indication that this outage has affected your data, including activity, payment or other personal information.
I guess that’s something, but it’s not enough. Let’s look at a few instances where companies went above and beyond to let its users know what was happening while it was happening.
Last December, Wyze experienced a data breach on a test server. This was the company’s fault, and it was clearly acknowledged. Wyze went above and beyond to clearly and explicitly state what happened, how it happened, and which data was exposed. The whole situation was bad, but the way Wyze handled it was exemplary.
Another example is the recent Twitter hack. While the whole thing can only be described as a disaster, Twitter did a good job of communicating what was happening and then following up with more details as they became available.
And that’s where Garmin screwed up the whole thing—it’s been days since the service was originally taken down. After roughly five days, the service only recently started to slowly come back to life. And Garmin’s statement is a graceful word dance with no real explanation outside of “there was a cyber attack.”
Hell, Garmin didn’t even bother to email customers about the outage—aside from vague communication over Twitter, the company did absolutely nothing to make sure customers knew what was happening. That sucks because if you didn’t know where to look, you were out in the cold. Or worse—reading potentially incorrect speculation and hearsay from unsubstantiated sources on random websites.
What Is Garmin Going to Do About This Moving Forward?
There’s no word on what really happened. If it was in fact a ransomware attack, did Garmin pay the ransom to have any hijacked data returned? If not, how was the situation handled? What steps will be taken to prevent this type of situation in the future?
That last bit is a crucial detail. Any time a company is the subject of a data breach, it should let its customers know what it’s going to do to prevent this type of attack in the future. But Garmin didn’t say a word about what it’s going to do. We have no way of knowing if the company is going to change anything. More employee training? A security consultation from a reputable company? Nothing at all? Who knows.
Those are all things that Garmin customers deserve to know. We trust them to keep our data safe, and we damn well deserve to know all the details when something happens.
But hey, at least they made sure to include this load of crap at the end of the press release:
Engineered on the inside for life on the outside, Garmin products have revolutionized the aviation, automotive, fitness, marine and outdoor lifestyles. Dedicated to helping people make the most of the time they spend pursuing their passions, Garmin believes every day is an opportunity to innovate and a chance to beat yesterday.
I don’t know how that makes you feel, but as a long-time Garmin customer, this feels like a slap in the face to me. This isn’t the time for a sales pitch.
I have an idea, Garmin: how about you beat yesterday by improving your security and communication?
So, What Can You Do?
That’s the worst part of a scenario like this—you’re almost powerless to do anything. You can’t force Garmin to give up what happened or what it’s going to do to prevent it from happening again.
But you can do what is so often recommended in situations like this: vote with your wallet. Move to a new platform. Delete your data from Garmin, and move to something hopefully more reliable or trustworthy. There are plenty of other companies out there—like Wahoo, Polar, Hammerhead, and more—that make competing products with Garmin.
The biggest issue here is that none of those competing companies have dealt with a similar situation that I can think of. That means we have no idea which ones would actually handle it better.
I guess time will tell.