Garmin services are at least in part back following a ransomware attack, but how much the company has been impacted remains unclear.

The company’s platforms and services, including Garmin Connect, its aviation-targeted fly Garmin brand and emails, call centres and online chat were all down from Thursday through to today.

Services are now beginning to come back online, and at the time of writing some features were fully restored, while others, such as Garmin Connect were listed by the company as having “limited” online functionality.

However, despite widespread reports that the culprit was a ransomware attack since Thursday, Garmin has remained silent on the cause until today, calling the incident an “outage” in a page on its site responding to the issue, where it apologised and responded to some frequently asked questions, but made no mention of a potential cyberattack.

With services now coming back online, Garmin has finally acknowledged the cause was a ransomware attack, issuing a statement on the incident:

“Garmin Ltd. today announced it was the victim of a cyberattack that encrypted some of our systems on July 23, 2020. As a result, many of our online services were interrupted including website functions, customer support, customer facing applications and company communications,” the company wrote in an email to Verdict.

How well do you really know your competitors?

Access the most comprehensive Company Profiles on the market, powered by GlobalData. Save hours of research. Gain competitive edge.

View profiles in store

Company Profile – free sample

Thank you!

Your download email will arrive shortly

Not ready to buy yet? Download a free sample

We are confident about the unique quality of our Company Profiles. However, we want you to make the most beneficial decision for your business, so we offer a free sample that you can download by submitting the below form

By GlobalData

Submit

UK USA Afghanistan Åland Islands Albania Algeria American Samoa Andorra Angola Anguilla Antarctica Antigua and Barbuda Argentina Armenia Aruba Australia Austria Azerbaijan Bahamas Bahrain Bangladesh Barbados Belarus Belgium Belize Benin Bermuda Bhutan Bolivia Bonaire, Sint Eustatius and Saba Bosnia and Herzegovina Botswana Bouvet Island Brazil British Indian Ocean Territory Brunei Darussalam Bulgaria Burkina Faso Burundi Cambodia Cameroon Canada Cape Verde Cayman Islands Central African Republic Chad Chile China Christmas Island Cocos Islands Colombia Comoros Congo Democratic Republic of the Congo Cook Islands Costa Rica Côte d"Ivoire Croatia Cuba Curaçao Cyprus Czech Republic Denmark Djibouti Dominica Dominican Republic Ecuador Egypt El Salvador Equatorial Guinea Eritrea Estonia Ethiopia Falkland Islands Faroe Islands Fiji Finland France French Guiana French Polynesia French Southern Territories Gabon Gambia Georgia Germany Ghana Gibraltar Greece Greenland Grenada Guadeloupe Guam Guatemala Guernsey Guinea Guinea-Bissau Guyana Haiti Heard Island and McDonald Islands Holy See Honduras Hong Kong Hungary Iceland India Indonesia Iran Iraq Ireland Isle of Man Israel Italy Jamaica Japan Jersey Jordan Kazakhstan Kenya Kiribati North Korea South Korea Kuwait Kyrgyzstan Lao Latvia Lebanon Lesotho Liberia Libyan Arab Jamahiriya Liechtenstein Lithuania Luxembourg Macao Macedonia, The Former Yugoslav Republic of Madagascar Malawi Malaysia Maldives Mali Malta Marshall Islands Martinique Mauritania Mauritius Mayotte Mexico Micronesia Moldova Monaco Mongolia Montenegro Montserrat Morocco Mozambique Myanmar Namibia Nauru Nepal Netherlands New Caledonia New Zealand Nicaragua Niger Nigeria Niue Norfolk Island Northern Mariana Islands Norway Oman Pakistan Palau Palestinian Territory Panama Papua New Guinea Paraguay Peru Philippines Pitcairn Poland Portugal Puerto Rico Qatar Réunion Romania Russian Federation Rwanda Saint Helena, Ascension and Tristan da Cunha Saint Kitts and Nevis Saint Lucia Saint Pierre and Miquelon Saint Vincent and The Grenadines Samoa San Marino Sao Tome and Principe Saudi Arabia Senegal Serbia Seychelles Sierra Leone Singapore Slovakia Slovenia Solomon Islands Somalia South Africa South Georgia and The South Sandwich Islands Spain Sri Lanka Sudan Suriname Svalbard and Jan Mayen Swaziland Sweden Switzerland Syrian Arab Republic Taiwan Tajikistan Tanzania Thailand Timor-Leste Togo Tokelau Tonga Trinidad and Tobago Tunisia Turkey Turkmenistan Turks and Caicos Islands Tuvalu Uganda Ukraine United Arab Emirates US Minor Outlying Islands Uruguay Uzbekistan Vanuatu Venezuela Vietnam British Virgin Islands US Virgin Islands Wallis and Futuna Western Sahara Yemen Zambia Zimbabwe Kosovo

Industry * Academia & Education Aerospace, Defense & Security Agriculture Asset Management Automotive Banking & Payments Chemicals Construction Consumer Foodservice Government, trade bodies and NGOs Health & Fitness Hospitals & Healthcare HR, Staffing & Recruitment Insurance Investment Banking Legal Services Management Consulting Marketing & Advertising Media & Publishing Medical Devices Mining Oil & Gas Packaging Pharmaceuticals Power & Utilities Private Equity Real Estate Retail Sport Technology Telecom Transportation & Logistics Travel, Tourism & Hospitality Venture Capital

Tick here to opt out of curated industry news, reports, and event updates from Verdict.

Submit and download

Visit our Privacy Policy for more information about our services, how we may use, process and share your personal data, including information of your rights in respect of your personal data and how you can unsubscribe from future marketing communications. Our services are intended for corporate subscribers and you warrant that the email address submitted is your corporate email address.

“We immediately began to assess the nature of the attack and started remediation. We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen. Additionally, the functionality of Garmin products was not affected, other than the ability to access online services.”

Many users have responding angrily to the company’s limited communications during the incident, taking to Twitter to complain, with one user decrying Garmin’s “non-existent communication and woefully weak FAQ”, while another called the company’s crisis management “near non-existent”.

Garmin is back but its reputation is at risk

For every day that ticked by from the start of the outage, Garmin was more exposed to damage from the incident.

“The ransomware attack on Garmin is the corporate equivalent of a heart attack. The longer it takes to restart the heart, the bigger the damage to Garmin or any business for that matter,” says Sam Curry, chief security officer at Cybereason.

“The attack will kill Garmin’s revenues, cause layoffs and result in customers being angry and competitors benefiting. And has there ever been worse timing for a breach, with Garmin’s quarterly earnings call on Wednesday, July 29?”

However, while services are beginning to come back online, the lack of communication up to this point has likely already caused lasting damage.

“[During ransomware attacks], businesses need to ensure they are in constant communication with customers and staff,” says Carl Wearn, head of e-crime at Mimecast.

“By failing to provide timely, honest and comprehensive communications to the relevant stakeholders, a vacuum is left that is often filled with rumour and misinformation. Honest media statements that don’t implicate the business and highlight the steps that are being taken to deal with the attack can go a long way in reducing both fear and panic.”

If customer data does turn out to have been impacted, Garmin will have a legal requirement under GDPR to notify those affected.

“No organisation wants to notify customers about a breach or outage, which is why notification laws are important,” says Tim Erlin, VP, product management and strategy at Tripwire.

“Legal notification, however, is only part of the response puzzle. As we see incidents increase in frequency, timely and informative notification has to be considered part of customer service. If we accept that these types of incidents happen to all organisations, how you handle them for your customers can be a competitive differentiator.”

Garmin’s communication so far has been extremely limited, with many customers left with questions. But how it decides to handle the incident over the next days and weeks will also have an impact.

“In the short term, it is critical that Garmin not try to play the role of victim as a result of this attack because neither Wall Street nor their customers will have any of it,” says Curry.

However, Garmin insists that the incident is not going to cause the company ongoing harm.

“Affected systems are being restored and we expect to return to normal operation over the next few days. We do not expect any material impact to our operations or financial results because of this outage,” the company said.

“As our affected systems are restored, we expect some delays as the backlog of information is being processed. We are grateful for our customers’ patience and understanding during this incident and look forward to continuing to provide the exceptional customer service and support that has been our hallmark and tradition.”

Did Garmin pay the ransomware demand?

While Garmin has not said how much it was asked to pay in the ransomware attack, BleepingComputer, which has published what it says are encrypted file directories and a ransomware note from the attacker, reports that the perpetrators are asking the company to pay a $10m ransom.

It is not known if this has been paid, although it is possible given that services are now beginning to come back online.

However, if Garmin did pay this ransom, it did so against the general recommendations of cybersecurity professionals, who almost universally say never to pay such ransoms because there is no guarantee the attackers will honour their end of the deal, and it can mark a company as an easy target for future attacks.

“Companies should by no means pay the criminals in case of suffering a ransomware attack,” says Bill Conner, president and CEO of SonicWall.

“Despite their assurances, there is no guarantee that they will delete the stolen data – quite the opposite, often they take the payment and then sell the data again on the Dark Web, profiting twice from the same crime.”

Nevertheless, Garmin may have felt that the cost of the ransomware was lower than the costs associated with having its products offline for any longer.

“Ransomware is effective when the cost of paying the ransom is less than that of removing the ransomware,” says Tripwire’s Erlin.

“That cost calculation has to include downtime for any service, so the more organisations rely on connectivity for service availability, the more disrupting that connectivity becomes an effective tactic for ransomware.”

Lessons from the incident

While Garmin services are starting to come back online, there is still considerable information to come out about the incident.

However, for other executives cringing at the idea of being in their Garmin-based counterparts’ shoes right now, there are lessons to learn.

“We all know that the most effective way to combat ransomware is to avoid getting infected in the first place, to be proactive in defense,” says Erlin.

“The second most effective way to combat ransomware, however, is to build in the ability to recover quickly. Organisations that have a strong disaster recovery program in place are less likely to find themselves paying ransom, and more likely to restore their systems back to operational state.”

“If there is a silver lining with this latest breach, it will hopefully serve as a 2020 wake up call for Garmin and every company,” adds Cybereason’s Curry, “and an opportunity to harden their defences and improve their security hygiene in this cat-and-mouse game between enterprises and hackers.”

Read more: “Outrageous” ransomware attack on European hospital network a reminder not to pay

Sign up for our daily news round-up!

Give your business an edge with our leading industry insights.

Sign up