Garmin services are at least in part back following a ransomware attack, but how much the company has been impacted remains unclear.
The company’s platforms and services, including Garmin Connect, its aviation-targeted fly Garmin brand and emails, call centres and online chat were all down from Thursday through to today.
Services are now beginning to come back online, and at the time of writing some features were fully restored, while others, such as Garmin Connect were listed by the company as having “limited” online functionality.
However, despite widespread reports that the culprit was a ransomware attack since Thursday, Garmin has remained silent on the cause until today, calling the incident an “outage” in a page on its site responding to the issue, where it apologised and responded to some frequently asked questions, but made no mention of a potential cyberattack.
With services now coming back online, Garmin has finally acknowledged the cause was a ransomware attack, issuing a statement on the incident:
“Garmin Ltd. today announced it was the victim of a cyberattack that encrypted some of our systems on July 23, 2020. As a result, many of our online services were interrupted including website functions, customer support, customer facing applications and company communications,” the company wrote in an email to Verdict.
“We immediately began to assess the nature of the attack and started remediation. We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen. Additionally, the functionality of Garmin products was not affected, other than the ability to access online services.”
Many users have responding angrily to the company’s limited communications during the incident, taking to Twitter to complain, with one user decrying Garmin’s “non-existent communication and woefully weak FAQ”, while another called the company’s crisis management “near non-existent”.
Garmin is back but its reputation is at risk
For every day that ticked by from the start of the outage, Garmin was more exposed to damage from the incident.
“The ransomware attack on Garmin is the corporate equivalent of a heart attack. The longer it takes to restart the heart, the bigger the damage to Garmin or any business for that matter,” says Sam Curry, chief security officer at Cybereason.
“The attack will kill Garmin’s revenues, cause layoffs and result in customers being angry and competitors benefiting. And has there ever been worse timing for a breach, with Garmin’s quarterly earnings call on Wednesday, July 29?”
However, while services are beginning to come back online, the lack of communication up to this point has likely already caused lasting damage.
“[During ransomware attacks], businesses need to ensure they are in constant communication with customers and staff,” says Carl Wearn, head of e-crime at Mimecast.
“By failing to provide timely, honest and comprehensive communications to the relevant stakeholders, a vacuum is left that is often filled with rumour and misinformation. Honest media statements that don’t implicate the business and highlight the steps that are being taken to deal with the attack can go a long way in reducing both fear and panic.”
If customer data does turn out to have been impacted, Garmin will have a legal requirement under GDPR to notify those affected.
“No organisation wants to notify customers about a breach or outage, which is why notification laws are important,” says Tim Erlin, VP, product management and strategy at Tripwire.
“Legal notification, however, is only part of the response puzzle. As we see incidents increase in frequency, timely and informative notification has to be considered part of customer service. If we accept that these types of incidents happen to all organisations, how you handle them for your customers can be a competitive differentiator.”
Garmin’s communication so far has been extremely limited, with many customers left with questions. But how it decides to handle the incident over the next days and weeks will also have an impact.
“In the short term, it is critical that Garmin not try to play the role of victim as a result of this attack because neither Wall Street nor their customers will have any of it,” says Curry.
However, Garmin insists that the incident is not going to cause the company ongoing harm.
“Affected systems are being restored and we expect to return to normal operation over the next few days. We do not expect any material impact to our operations or financial results because of this outage,” the company said.
“As our affected systems are restored, we expect some delays as the backlog of information is being processed. We are grateful for our customers’ patience and understanding during this incident and look forward to continuing to provide the exceptional customer service and support that has been our hallmark and tradition.”
Did Garmin pay the ransomware demand?
While Garmin has not said how much it was asked to pay in the ransomware attack, BleepingComputer, which has published what it says are encrypted file directories and a ransomware note from the attacker, reports that the perpetrators are asking the company to pay a $10m ransom.
It is not known if this has been paid, although it is possible given that services are now beginning to come back online.
However, if Garmin did pay this ransom, it did so against the general recommendations of cybersecurity professionals, who almost universally say never to pay such ransoms because there is no guarantee the attackers will honour their end of the deal, and it can mark a company as an easy target for future attacks.
“Companies should by no means pay the criminals in case of suffering a ransomware attack,” says Bill Conner, president and CEO of SonicWall.
“Despite their assurances, there is no guarantee that they will delete the stolen data – quite the opposite, often they take the payment and then sell the data again on the Dark Web, profiting twice from the same crime.”
Nevertheless, Garmin may have felt that the cost of the ransomware was lower than the costs associated with having its products offline for any longer.
“Ransomware is effective when the cost of paying the ransom is less than that of removing the ransomware,” says Tripwire’s Erlin.
“That cost calculation has to include downtime for any service, so the more organisations rely on connectivity for service availability, the more disrupting that connectivity becomes an effective tactic for ransomware.”
Lessons from the incident
While Garmin services are starting to come back online, there is still considerable information to come out about the incident.
However, for other executives cringing at the idea of being in their Garmin-based counterparts’ shoes right now, there are lessons to learn.
“We all know that the most effective way to combat ransomware is to avoid getting infected in the first place, to be proactive in defense,” says Erlin.
“The second most effective way to combat ransomware, however, is to build in the ability to recover quickly. Organisations that have a strong disaster recovery program in place are less likely to find themselves paying ransom, and more likely to restore their systems back to operational state.”
“If there is a silver lining with this latest breach, it will hopefully serve as a 2020 wake up call for Garmin and every company,” adds Cybereason’s Curry, “and an opportunity to harden their defences and improve their security hygiene in this cat-and-mouse game between enterprises and hackers.”