Garmin’s long-running outage is a case study in how not to handle an IT meltdown and cybersecurity attack and may indicate a longer recovery than expected.
You can almost smell the panic as Garmin deals with a ransomware attack that has brought down numerous systems including Garmin Connect, the software that holds data on your runs, workouts and activities as well as production systems and call centers.
Meanwhile, the clock is ticking as Garmin is scheduled to report earnings on Wednesday. Customers will want answers, but Wall Street will want more clarity. Garmin’s success story and run of strong quarters is going to be overshadowed by its cyberattack.
Based on Garmin’s crisis management since late last Wednesday, things aren’t looking so hot. At first, Garmin met the issues with silence, then a short Tweet noting problems. On Saturday, the company followed up with a vague FAQ that didn’t address the big questions. The Garmin Connect status page tells the story.
We are currently experiencing an outage that affects Garmin.com and Garmin Connect. This outage also affects our call centers, and we are currently unable to receive any calls, emails or online chats. We are working to resolve this issue as quickly as possible and apologize for this inconvenience.
Garmin Connect Status page
But the focus on Garmin Connect loses the plot. I’m a long-time customer of Garmin and use its devices for runs, quantified self data and now metrics such as Body Battery and Pulse Ox. Garmin may take a reputation hit, but Garmin is much more than just fitness wearables and smartwatches. Garmin also operates critical data infrastructure for aviation and marine.
Garmin better hope that its woes are due to a ransomware attack forcing it to rebuild systems. Garmin’s data would be of interest to a state actor too.
In other words, Garmin got off easy this time. Next time, Garmin’s data could be used for something worse. All you need to recall is how Strava data was able to pinpoint troops and realize how valuable Garmin data could be.
Now the Pentagon has banned GPS devices, but the Strava incident gives you an idea of what’s possible.
Garmin lays out the security and data risks in its annual report:
We collect, store, process, and use personal information and other user data. Our users’ personal information may include, among other information, names, addresses, phone numbers, email addresses, payment account information, height, weight, age, gender, heart rates, sleeping patterns, GPS-based location, and activity patterns. Due to the volume and types of the personal information and data we manage and the nature of our products and applications, the security features of our platform and information systems are critical. If our security measures or applications are breached, are disrupted or fail, unauthorized persons may be able to obtain access to user data. If we or our third-party service providers, business partners, or third-party apps with which our users choose to share their Garmin data were to experience a breach, disruption or failure of systems compromising our users’ data or the media suggested that our security measures or those of our third-party service providers were insufficient, our brand and reputation could be adversely affected, use of our products and services could decrease, and we could be exposed to a risk of loss, litigation, and regulatory proceedings. Depending on the nature of the information compromised, in the event of a data breach, disruption or other unauthorized access to our user data, we may also have obligations to notify users about the incident and we may need to provide some form of remedy for the individuals affected by the incident.
Garmin then goes on to note that system and data breaches could result in higher costs via security experts, consultants and remediation costs. Rest assured that Garmin is overrun with security experts and consultants as we speak.
Can Garmin recover? Certainly.
Equifax turned its data breach debacle into new products. Other ransomware attack victims, including some cities, have recovered. In the long run, Garmin may have just suffered a blip in a long run of innovation, but it will need to step up its security game going forward. All this outage at Garmin proves is that the company is vulnerable to attacks.