Subscribe now and choose from over 30 free gifts worth up to £49 - Plus get £25 to spend in our shop
DDOS: basically think of it as a digital version of someone organising a crowd shouting at the top of their voices so no-one can hear you speak.
Ooh.
Garmin Connect is no longer giving me 404 errors at sign-in, but instead javascript errors.
( A new Garmin Explore turned up yesterday. I'd quite like to get it talking to my phone so I can send a route to follow).
Just bought my missus a new Garmin too.
Her first, reluctant step in to smart tech and within a week the platform has been hacked.
Might have to keep it quiet for a while and see if she notices.
Her first, reluctant step in to smart tech and within a week the platform has been hacked.
It’s her fault!
Burn the witch!
Brill ‘documentary’ article on Ransomware for the poster child of being sat on your arse and getting back up.
https://www.wired.com/story/notpetya-cyberattack-ukraine-russia-code-crashed-the-world/
Edit: previously posted by soundninja up there. Worth a read though.
Thanks that was a good read.
DDOS: basically think of it as a digital version of someone organising a crowd shouting at the top of their voices so no-one can hear you speak.
Like a thread when certain people start posting.
Bit more info leaking out now and this website seems to have as much info as anyone: https://www.bleepingcomputer.com/news/security/garmin-outage-caused-by-confirmed-wastedlocker-ransomware-attack/
Apparently, they've been asked to pay a $10 million ransom. I'll not put my usb cable away just yet...
I wonder how much is the Kremlins cut.
Looks like it's starting to come back to life again:
https://connect.garmin.com/status/
My guess is that it'll be a bit lumpy for a few days while it clears the (presumably) pretty hefty backlog, but good news anyway!
Yeah, I absent mindedly opened connect this morning, as I always do to sync my watch, and it all uploaded and my kayak from the weekend synced to Strava. Still says down for maintainace at the top, but otherwise worked fine.
Interesting to know what they ended up doing...
The site looks to be back up - I have just managed to log in, but the 1030 hasn't sync'd with Strava yet. Fingers crossed.
Think they just turned it off then back on again.
Probably claim that the cleaner unplugged it to do the hoovering and no-one noticed til they came into work today...
Looks like they're switching on certain services one by one, that's good.
One of my activities has just synced despite the server maint message showing on the Garmin Connect app.
Yeah, mine as well...but the Status page is offline again...haha! Too many people maybe trying to see what is available.
All working perfectly for me. Synching, plotting routes, updates.
Great news if it's all working.bet they have been working hard around the clock.
My Strava app says Garmin stuff will auto begin uploading again soon too. Before it said it wasnt and gave directions how to manual upload.
Strava have said it may take up to a week to clear their sync backlog with Garmin Connect.
4 activities updated to Strava today from over the past few days, but still not showing on the Garmin app.
Scales now registered but not syncing yet...but it is progressing so that is good.
Just synced MrsP's watch - got a couple of 'error connecting to server' messages but tried again and it worked fine. The activities appeared on Strava within a minute or so of syncing to Garmin Connect.
Is everyone happy to continue using Garmin and syncing very personal data with a company that can`t even defend itself against ransomware? How do you think they are going to keep you personal data safe?
The Maersk / NotPetya story from Wired is good. If you want to read more, I'd recommend this one, from Maersk's IAM lead at the time: https://gvnshtn.com/maersk-me-notpetya/
Is everyone happy to continue using Garmin and syncing very personal data with a company that can`t even defend itself against ransomware? How do you think they are going to keep you personal data safe?
As happy as I am with ones that haven’t yet been held to ransom.
Well, they've confirmed that no data breach occurred.
https://www.garmin.com/en-GB/outage/
And you might want to have a look at this list...
I'm willing to bet you'll have used at least one of those sites.
Anyway... Mine is semi syncing. But how am I meant to know how tired I am, Garmin? I can't see my sleep tracking! 😁
Is everyone happy to continue using Garmin and syncing very personal data with a company that can`t even defend itself against ransomware? How do you think they are going to keep you personal data safe?
It would be nice to be principled and not use any firms that have had a breach of data privacy, but I suspect that if I did that I'd rapidly run out of options for stuff - and the fact of it is that for me Garmin is the best at the fitness/activity stuff.
Is everyone happy to continue using Garmin and syncing very personal data with a company that can`t even defend itself against ransomware? How do you think they are going to keep you personal data safe?
Apart from 'address at which nice bikes are kept' I'm not sure what data they have that they could maliciously use?
Flogging DickBarton some slimming world products when his weight goes up?
Apart from ‘address at which nice bikes are kept’ I’m not sure what data they have that they could maliciously use?
All your movements, address, bank details, phone number, photos ( I assume you can upload them to rides) email addresses, medical data (heart rate data is included in that category).
I only asked out of curiosity, and it seems from the first few responses, that if you really like a service then you will continue to use it, even if its proven to have insufficient security/procedures in place.
Well, they’ve confirmed that no data breach occurred.
I didn't say any data loss had occurred. But are you willing to trust your data to a company that has just been proven to lacking in the area of security?
All your movements, address, bank details, phone number, photos ( I assume you can upload them to rides) email addresses, medical data (heart rate data is included in that category).
Medical details? What are they going to do with my SP02 and respiratory data?
As happy as I am with ones that haven’t yet been held to ransom.
no offence, and I mean this in a nice way, but that's the stupidest reason for anything ever.
Too late for that...turns out previous scales have clearly been broken for some time. I'm assuming the gain is muscle!!!
no offence, and I mean this in a nice way, but that’s the stupidest reason for anything ever.
Yeah that’s because you think my heart rate is medical data. Putting any information to any company poses a risk, it’s an accepted risk for me, any one could be hacked. A one who may have been held to ransom is perhaps more likely to up their security.
even if its proven to have insufficient security/procedures in place.
I'm guessing you work in information/cyber security? Or directly for Garmin, as you're extremely confident of their 'insufficient security/procedures'?
Assuming this is the end of the affair, I'm actually pretty happy that it has been resolved this quickly. Looks like there were enough controls in place to stop it spreading throughout the company and the actions taken to close down services would have been part of that.
I've also been wondering of Covid 19 has had an influence. Perhaps a rush to homeworking has created a few security holes in many companies.
I didn’t say any data loss had occurred. But are you willing to trust your data to a company that has just been proven to lacking in the area of security?
Again, that word - 'proven' - where's the proof Garmin have failed in security? We don't even know for 100% that it was a ransomware attack.
And even the most secure systems in the world, are not 100% secure. You'd think the CIA would be pretty secure, right? Secure enough to not get hacked by a 15 year old? Think again...
https://phys.org/news/2018-04-uk-teen-hacked-cia-chief.html
All it takes for a ransomware attack to start is one click, and someone putting in their username and password into a (very believable) fake office365 page, and they're in. Just a moment's lapse in concentration and that's it.
If you're that worried about your data, I'd suggest removing any trace of yourself from the internet, as nowhere is truly 'safe'.
All your movements, address, bank details, phone number, photos ( I assume you can upload them to rides) email addresses, medical data (heart rate data is included in that category).
Some people use it more than me - those with full time smart watches, (or if there is a subscription service I don't know about), for example.
Those who just use it as an intermediatry between the physical garmin bike computer, and strava; all it knows about me is my email address, name, and how unfit I am, plus a large nmber of GPS files that with effort, you could determine my home location.
I'd echo the comments above, Garmin itself beyond some metrics, email, age and (with some detective work) my location; have little more data that isn't already in the public domain that someone could credibly get already.
There's being cautious and sensibly cynical about sharing ones private info on line, and then there's probably unjustifiable paranoia.
Some people use it more than me – those with full time smart watches, (or if there is a subscription service I don’t know about), for example.
They don’t control all your movements unlike smartphones. address I’m not sure of without checking but I’m in the phone book so not hard to find me, bank details only if you’ve bought from them but you can’t see that in full, iemail address yes but as I have domain it gets spam anyway as they just put names and words at the front of domain so a hacker could do the same, they have no medical data. They have a few photos but they’re of scenery so not sure what they going to worth a picture of a hill.
If this was a ransomware attack, chances are all of us will have had some dealings with at least 1 company that has been subject to a ransomware attack. The NHS, for instance...
Only personal data breaches have to be notified to the ICO as far as I'm aware (not my speciality, I only dabble in IT security when needed). Ransomware attacks aren't exactly uncommon things...
Medical details? What are they going to do with my SP02 and respiratory data?
Nothing that will directly effect you, but it would be worth something to someone. Imagine having access to the heart rate data of millions of humans. Then imagine being able to filter that data by gender, or age, or location. Any company interested in sports performance would pay happily for such data.
I’m guessing you work in information/cyber security? Or directly for Garmin, as you’re extremely confident of their ‘insufficient security/procedures’?
A ransomware attack got inside their network. That could happen to anyone as you said. But for a company the size of Garmin to turn off their entire infrastructure and have no disaster recovery site/solution in place meaning their business is effectively shut down for several days is probably poor.
I’d echo the comments above, Garmin itself beyond some metrics, email, age and (with some detective work) my location; have little more data that isn’t already in the public domain that someone could credibly get already.
There’s being cautious and sensibly cynical about sharing ones private info on line, and then there’s probably unjustifiable paranoia.
That's naive at best. Its not the data itself, its what they can do with it.
But for a company the size of Garmin to turn off their entire infrastructure and have no disaster recovery site/solution in place meaning their business is effectively shut down for several days is probably poor.
Poor? Yes.
Uncommon? Scarily not. There are many household name companies that survive by a policy that is pretty much "there but for the grace of God" in these matters.
Then imagine being able to filter that data by gender, or age, or location. Any company interested in sports performance would pay happily for such data.
What makes you think Garmin don’t do that anyway?
That’s naive at best. Its not the data itself, its what they can do with it.
What can "they" do with it then? Let's stay within the bounds of your average hacker rather than anyone with specialist tools and data science skills.
But for a company the size of Garmin to turn off their entire infrastructure and have no disaster recovery site/solution in place meaning their business is effectively shut down for several days is probably poor.
Really? If they truly were the victim of a ransomware attack that took down ALL their services and had 'no disaster recovery site/solution in place' it would a take a lot sodding longer than 3 days to get most systems back up and running. And would involve paying the hackers a VERY large sum of money.
Both of which I can almost guarantee are false claims.
Do you not think, that if a companies online services got compromised, the first thing they might do is take it all offline to prevent further damage?
I'll ask again - do you work in information/cyber security? If not, you have no idea what you're on about...
Also, you're talking about it being a ransomware attack. The entire purpose of a ransomware attack is not to gain access to data, it's to purposely lock it down so it's NOT accessible.
A data breach is not a ransomware attack, they're 2 very different things with 2 very different intended results. Ransomware attackers don't give a jot about what data they're encrypting, it could be the canteens menus for the last 10 years for all they care. They just care about getting companies with no backup plan into a situation where they are forced to pay up.
What makes you think Garmin don’t do that anyway?
If they have any sense then they do. The difference is when you signed up for a Garmin account you gave them permission to do it.
Really? If they truly were the victim of a ransomware attack that took down ALL their services and had ‘no disaster recovery site/solution in place’ it would a take a lot sodding longer than 3 days to get most systems back up and running. And would involve paying the hackers a VERY large sum of money.
From the report I read the attack effected a small part of their infrastructure. They shut everything down to stop it spreading.
I’ll ask again – do you work in information/cyber security? If not, you have no idea what you’re on about…
Not specifically security, but I have worked in IT for 25 years so know a little bit about it.
Also, you’re talking about it being a ransomware attack. The entire purpose of a ransomware attack is not to gain access to data, it’s to purposely lock it down so it’s NOT accessible.
A data breach is not a ransomware attack, they’re 2 very different things with 2 very different intended results. Ransomware attackers don’t give a jot about what data they’re encrypting, it could be the canteens menus for the last 10 years for all they care. They just care about getting companies with no backup plan into a situation where they are forced to pay up.
What I am asking is why are users so willing to trust their data to a company that seemingly have poor defences/responses to cyber attacks. No-one has suggested that this was a data breach.
From the report I read the attack effected a small part of their infrastructure. They shut everything down to stop it spreading.
Exactly what any company would do. Isolate the infected servers, and prevent any further access to the hackers.
Not specifically security, but I have worked in IT for 25 years so know a little bit about it.
Then I'd expect you to know what sort of backup/DR plans companies the size of Garmin would have in place.
It's taken 3 days to start to get stuff back online. First day - isolation and prevention of more catastrophic damage. 2nd day - forensics, identifying the vulnerabilities, how they got in, and patching/fixing them. This could be as simple as using a different MFA method if this was compromised, it could mean patching a flaw in multiple different web servers. At the same time, restoring lost data from backups, which if it was a large amount, can take hours and hours. Day 3 - testing of all services before a phased switch on.
I've worked in IT for 6 years, not specifically security but I've had lots of dealing with these sorts of attacks along with backup/DR etc etc.
What I am asking is why are users so willing to trust their data to a company that seemingly have poor defences/responses to cyber attacks.
Please tell me exactly what backup and disaster recovery procedures Garmin have in place. As it's so poor, you must have details? Ahh, 'seemingly' - there we go, you don't know. You don't know what data was compromised. You don't know what the actual attack was. You're guessing that because their services were down for 3 days they must have bad security.
I wasn't intending this to become a detailed analysis of Garmins response. But seeing so many users posting how happy they were that systems were returning without anyone stopping and thinking for a minute if continuing to use them was such a great idea. If you are happy to then great. I was early trying to raise awareness.
This is a pretty good read for those interested in finding out more about the response and the potential use for such data.
https://www.zdnet.com/article/garmins-outage-ransomware-attack-response-lacking-as-earnings-loom/
If someones gonna hack Garmin so they can come to Leeds and nick my Planet X road bike the world really has gone ****ing mental!
Then I’d expect you to know what sort of backup/DR plans companies the size of Garmin would have in place.
It’s taken 3 days to start to get stuff back online. First day – isolation and prevention of more catastrophic damage. 2nd day – forensics, identifying the vulnerabilities, how they got in, and patching/fixing them. This could be as simple as using a different MFA method if this was compromised, it could mean patching a flaw in multiple different web servers. At the same time, restoring lost data from backups, which if it was a large amount, can take hours and hours. Day 3 – testing of all services before a phased switch on.
I’ve worked in IT for 6 years, not specifically security but I’ve had lots of dealing with these sorts of attacks along with backup/DR etc etc.
First reports were last Wednesday no? With some services returning this morning? That's six days by my count.
If someones gonna hack Garmin so they can come to Leeds and nick my Planet X road bike the world really has gone **** mental!
Your Planetx road bike is the last thing they want.
That’s naive at best. Its not the data itself, its what they can do with it.
I don't know if my data has been compromised, and if it has, to what level of exposure, and again, If a "bad actor" has access to my personal data, then there's honestly not a lot I can do about that, or worry about the fact that some Russian in a bot factory now knows that I get about 8hrs of sleep a night. There;s nothing short of stopping using the internet for ever that will protect me 100% from that sort of activity.
To be honest, the sort of folk who come and rob you are just going to rock up to my house on the off chance, they're not going to first buy some random piece of data from a hacker who got some lines of script (that with the right programme )can see within 250 yards of where I start and stop my cycling activity...Call me naive if it makes you feel like Neo, but honestly, I'm more in danger of being mugged in real life than I am from some random having some data from Garmin (if they do at all).
I suppose they are a bit busy fixing stuff but I am surprised there hasn't been an official announcement from Garmin. Unless there has been one and I haven't seen it.
I suppose they are a bit busy fixing stuff but I am surprised there hasn’t been an official announcement from Garmin. Unless there has been one and I haven’t seen it.
Their all out breaking into peoples garages!!
Thursday by my reckoning, so 4 days - not 3, apologies. Still within realms of getting a big attack resolved.
Even Wednesday makes it 5 days as services started to come back early this morning.
That link on zdnet basically just says their comms haven't been great. In my opinion, more damage would be done releasing something possibly not accurate in the early days, then having to retract that and release a formal press release afterwards. I'd prefer they concentrate on fixing the issues rather than releasing something to say 'yes we know the systems are down, we think it's this, it should be back up by xx date'. More damage would be done by fluffing a release than no release at all. Under promise, over deliver. Or never give someone a date that you can't guarantee.
Anyway, am I worried about my data possibly being in the hands of someone else? No. It probably already is...
But seeing so many users posting how happy they were that systems were returning without anyone stopping and thinking for a minute if continuing to use them was such a great idea. If you are happy to then great. I was early trying to raise awareness.
Yes, it's something to consider, but as I said before if you choose not to use any company that has ever been hacked/fell foul of ransomware/had systems compromised/had a data breach, you'd run out of options very quickly. That sort of thinking, I'm afraid, is tin-foil hat territory. The NHS got done a few years back. I presume you're OK using them?
Unless you opted out of it when the letters went round a while back, various companies already have access to far more detailed healthcare data on you, and for far less outlay and risk: https://www.theguardian.com/technology/2020/feb/08/fears-over-sale-anonymous-nhs-patient-data
Also, when talking about locking data away with Ransomware and stealing data, bear in mind the amount of data Garmin probably holds is absolutely vast - and so probably quite difficult to squirrel out of their network without leaving some sort of trace. I've no idea how much data Garmin Connect ingests each day, but I'm guessing enough that trying to steal say a week's worth would set off some biggish alarm bells. And if you're an attacker going for maximum bang for your buck, would you really want to risk your payday to exfil data that may or may not be valuable over weeks or months at a low bitrate?
There's also the issue of ease of data exploitation: credit card or (in the US) social security numbers are relatively easy to exploit and the data relatively easy to sell on as a result. Someone can, from their sofa, run through stolen card details and make money for relatively low effort and low risk. What's the easily-exploited use for all this data? I'm not saying there isn't one, and I'd be happy to hear ideas how / why, but there is unlikely to be a market for burglars wanting to know who on a street has a fitness tracker and therefore might have a nice bike (or not) or a pair of well-used trainers. Best return for the lowest risk and effort is the usual MO, and ransomware's a great example: the payoff (if there is one) is in invariably in bitcoin.
I suppose they are a bit busy fixing stuff but I am surprised there hasn’t been an official announcement from Garmin. Unless there has been one and I haven’t seen it.
'tis on the main page 😉
https://www.garmin.com/en-GB/outage/
I wasn’t intending this to become a detailed analysis of Garmins response.
agreed - time to step away from the allegations of how good or not their systems are, the truth is unless you work in their IT/security team, we'll probably never know. One thing I do know however, is that I would not have wanted to have gotten that on call phone call!!
The last thing you want to hear at any IT area are any of the words 'hacked' ransomware' 'everything's down' or 'all my files are locked...' :O
I can sympathise with the guys at Garmin, I highly doubt they'll have had much sleep over the past few days.
I suppose they are a bit busy fixing stuff but I am surprised there hasn’t been an official announcement from Garmin. Unless there has been one and I haven’t seen it.
I have a (very) little bit of experience of how Comms teams plan for this sort of situation - it's something that should be in every organisation's crisis comms plan.
Absolute radio silence aside from a brief factual statement until more is known is one well-regarded approach, and one of several that should have been gamed out and refreshed at least once a year.
It is not the only approach, and it's not always the best, and there'll always be someone with 20:20 hindsight at the end of it. It will have been got to after a great deal of back and forth between Garmin's board of directors, investor relations team, CIO/CISO and teams, outside IR team and the Comms team themselves.
I have a (very) little bit of experience of how Comms teams plan for this sort of situation – it’s something that should be in every organisation’s crisis comms plan.
Agreed. I worked with a company in London who exist solely to war game this type of disaster with your comms people and train them to deal with social and traditional media. Let's hope Garmin give them a call as I believe they did an utterly piss poor job.
’tis on the main page 😉
https://www.garmin.com/en-GB/outage/
/blockquote>Fair enough but that is worse than useless. No time or date, no updates, no mention of user data concerns etc. Compare that to this - https://support.strava.com/hc/en-us/articles/360046805811?deviceType=79
I still think the communication has been poor.
Fair enough but that is worse than useless. No time or date, no updates, no mention of user data concerns etc.
I still think the communication has been poor.
User data concerns:
Was my data impacted as a result of the outage?
Garmin has no indication that this outage has affected your data, including activity, payment or other personal information.
Why would they give a date if they cannot guarantee that it'll be fixed by that time? That would do more damage than not giving a date.
See below
Absolute radio silence aside from a brief factual statement until more is known is one well-regarded approach, and one of several that should have been gamed out and refreshed at least once a year.
It is not the only approach, and it’s not always the best, and there’ll always be someone with 20:20 hindsight at the end of it. It will have been got to after a great deal of back and forth between Garmin’s board of directors, investor relations team, CIO/CISO and teams, outside IR team and the Comms team themselves.
What I am asking is why are users so willing to trust their data to a company that seemingly have poor defences/responses to cyber attacks
The seemingly poor response was to shut down when they suspected an attack, then fixed it. Of course all this is speculation as there’s been no confirmation of a cyber attack.
I think the communication was bad and while I didn't expect Garmin to give any definitive info while they were still investigating a more frequent "we're still working on it" would have been nice.
Let's not forget that their focus is going to be on their quarterly earnings on Wednesday and not on short term PR which will be all but forgotten by the average consumer within a few months.
There have been plenty of data breach cover ups but I don't think we can just assume Garmin is the same without evidence. You take a risk anytime you upload personal information and if you aren't comfortable with the risk of it being leaked then you shouldn't be using these platforms. Frankly compared to FlyGarmin being unusable and $10mil ransoms my extremely limited personal data is hardly worth the effort.
Let’s not forget that their focus is going to be on their quarterly earnings on Wednesday and not on short term PR which will be all but forgotten by the average consumer within a few months.
Yeah - I wonder if the timing was intentional on the part of the attackers. Certainly I don't envy the comms peeps at Garmin at the moment - they must be running on fumes along with their entire IS department by now.
Statement from Garmin at https://www.garmin.com/en-US/outage/
Garmin Ltd. was the victim of a cyber attack that encrypted some of our systems on July 23, 2020. As a result, many of our online services were interrupted including website functions, customer support, customer facing applications, and company communications. We immediately began to assess the nature of the attack and started remediation.
We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen. Additionally, the functionality of Garmin products was not affected, other than the ability to access online services. Affected systems are being restored and we expect to return to normal operation over the next few days.
As our affected systems are restored, we expect some delays as the backlog of information is being processed. We are grateful for our customers’ patience and understanding during this incident and look forward to continuing to provide the exceptional customer service and support that has been our hallmark and tradition.
From Sky News
Sources with knowledge of the Garmin incident who spoke to Sky News on the condition of anonymity said that the company - an American multinational which is publicly listed on the NASDAQ - did not directly make a payment to the hackers.
Doesn't surprise me that that didn't pay, they WILL have had resilient backups in place.
Edit: the unquoted sky bit seems to imply they paid via a third party. I still can't see it, as I say I fully expect them to have had backups etc in place. The wording "Affected systems are being restored" - that's restored, not recovered. You restore from backups, or a snapshot. You recover systems that have been lost.
It might not have even been a targeted attack as such, lots of ransomware encryption attacks start with just an randomly targeted email with a genuine looking .pdf file. Once opened on a system with access to the main servers, bob's your mothers brother. The 'hackers' don't even need access to the systems.
Anyway - tonight's run uploaded to Connect and Strava with no issues, and even my VO2 max has increased! It's taking a while to fully sync but everything seems back to roughly where it was.
I'm conscious of my online profile. I work in IT and security is *part* of my remit.
I don't give a shit what Garmin know about me. It's nothing in the scheme of things.
I can’t say much about it but can say it’s a large and complex recovery. Moral of the story is make sure you have really really good endpoint security and lots of good BIOCs on your alerting. There will be some info released today about it.
Issues with both watches this morn, wife's 4s needed factory reset as it never recorded any distance on her morning run, mine won't lock onto GPS to even start an activity...
Wonder if they've had to release some software overnight?
I've got a server down for maintenance message again.
Depending on how long this outage lasts, next time the scales sync they do seem to remember a few past readings – I know when I have had wifi issues previously more than just the latest weight reading uploaded.
All of the readings have now appeared for the days on which Garmin Connect was offline.