Forum menu
From the report I read the attack effected a small part of their infrastructure. They shut everything down to stop it spreading.
Exactly what any company would do. Isolate the infected servers, and prevent any further access to the hackers.
Not specifically security, but I have worked in IT for 25 years so know a little bit about it.
Then I'd expect you to know what sort of backup/DR plans companies the size of Garmin would have in place.
It's taken 3 days to start to get stuff back online. First day - isolation and prevention of more catastrophic damage. 2nd day - forensics, identifying the vulnerabilities, how they got in, and patching/fixing them. This could be as simple as using a different MFA method if this was compromised, it could mean patching a flaw in multiple different web servers. At the same time, restoring lost data from backups, which if it was a large amount, can take hours and hours. Day 3 - testing of all services before a phased switch on.
I've worked in IT for 6 years, not specifically security but I've had lots of dealing with these sorts of attacks along with backup/DR etc etc.
What I am asking is why are users so willing to trust their data to a company that seemingly have poor defences/responses to cyber attacks.
Please tell me exactly what backup and disaster recovery procedures Garmin have in place. As it's so poor, you must have details? Ahh, 'seemingly' - there we go, you don't know. You don't know what data was compromised. You don't know what the actual attack was. You're guessing that because their services were down for 3 days they must have bad security.
I wasn't intending this to become a detailed analysis of Garmins response. But seeing so many users posting how happy they were that systems were returning without anyone stopping and thinking for a minute if continuing to use them was such a great idea. If you are happy to then great. I was early trying to raise awareness.
This is a pretty good read for those interested in finding out more about the response and the potential use for such data.
https://www.zdnet.com/article/garmins-outage-ransomware-attack-response-lacking-as-earnings-loom/
If someones gonna hack Garmin so they can come to Leeds and nick my Planet X road bike the world really has gone ****ing mental!
Then I’d expect you to know what sort of backup/DR plans companies the size of Garmin would have in place.
It’s taken 3 days to start to get stuff back online. First day – isolation and prevention of more catastrophic damage. 2nd day – forensics, identifying the vulnerabilities, how they got in, and patching/fixing them. This could be as simple as using a different MFA method if this was compromised, it could mean patching a flaw in multiple different web servers. At the same time, restoring lost data from backups, which if it was a large amount, can take hours and hours. Day 3 – testing of all services before a phased switch on.
I’ve worked in IT for 6 years, not specifically security but I’ve had lots of dealing with these sorts of attacks along with backup/DR etc etc.
First reports were last Wednesday no? With some services returning this morning? That's six days by my count.
If someones gonna hack Garmin so they can come to Leeds and nick my Planet X road bike the world really has gone **** mental!
Your Planetx road bike is the last thing they want.
That’s naive at best. Its not the data itself, its what they can do with it.
I don't know if my data has been compromised, and if it has, to what level of exposure, and again, If a "bad actor" has access to my personal data, then there's honestly not a lot I can do about that, or worry about the fact that some Russian in a bot factory now knows that I get about 8hrs of sleep a night. There;s nothing short of stopping using the internet for ever that will protect me 100% from that sort of activity.
To be honest, the sort of folk who come and rob you are just going to rock up to my house on the off chance, they're not going to first buy some random piece of data from a hacker who got some lines of script (that with the right programme )can see within 250 yards of where I start and stop my cycling activity...Call me naive if it makes you feel like Neo, but honestly, I'm more in danger of being mugged in real life than I am from some random having some data from Garmin (if they do at all).
I suppose they are a bit busy fixing stuff but I am surprised there hasn't been an official announcement from Garmin. Unless there has been one and I haven't seen it.
I suppose they are a bit busy fixing stuff but I am surprised there hasn’t been an official announcement from Garmin. Unless there has been one and I haven’t seen it.
Their all out breaking into peoples garages!!
Thursday by my reckoning, so 4 days - not 3, apologies. Still within realms of getting a big attack resolved.
Even Wednesday makes it 5 days as services started to come back early this morning.
That link on zdnet basically just says their comms haven't been great. In my opinion, more damage would be done releasing something possibly not accurate in the early days, then having to retract that and release a formal press release afterwards. I'd prefer they concentrate on fixing the issues rather than releasing something to say 'yes we know the systems are down, we think it's this, it should be back up by xx date'. More damage would be done by fluffing a release than no release at all. Under promise, over deliver. Or never give someone a date that you can't guarantee.
Anyway, am I worried about my data possibly being in the hands of someone else? No. It probably already is...
But seeing so many users posting how happy they were that systems were returning without anyone stopping and thinking for a minute if continuing to use them was such a great idea. If you are happy to then great. I was early trying to raise awareness.
Yes, it's something to consider, but as I said before if you choose not to use any company that has ever been hacked/fell foul of ransomware/had systems compromised/had a data breach, you'd run out of options very quickly. That sort of thinking, I'm afraid, is tin-foil hat territory. The NHS got done a few years back. I presume you're OK using them?
Unless you opted out of it when the letters went round a while back, various companies already have access to far more detailed healthcare data on you, and for far less outlay and risk: https://www.theguardian.com/technology/2020/feb/08/fears-over-sale-anonymous-nhs-patient-data
Also, when talking about locking data away with Ransomware and stealing data, bear in mind the amount of data Garmin probably holds is absolutely vast - and so probably quite difficult to squirrel out of their network without leaving some sort of trace. I've no idea how much data Garmin Connect ingests each day, but I'm guessing enough that trying to steal say a week's worth would set off some biggish alarm bells. And if you're an attacker going for maximum bang for your buck, would you really want to risk your payday to exfil data that may or may not be valuable over weeks or months at a low bitrate?
There's also the issue of ease of data exploitation: credit card or (in the US) social security numbers are relatively easy to exploit and the data relatively easy to sell on as a result. Someone can, from their sofa, run through stolen card details and make money for relatively low effort and low risk. What's the easily-exploited use for all this data? I'm not saying there isn't one, and I'd be happy to hear ideas how / why, but there is unlikely to be a market for burglars wanting to know who on a street has a fitness tracker and therefore might have a nice bike (or not) or a pair of well-used trainers. Best return for the lowest risk and effort is the usual MO, and ransomware's a great example: the payoff (if there is one) is in invariably in bitcoin.
I suppose they are a bit busy fixing stuff but I am surprised there hasn’t been an official announcement from Garmin. Unless there has been one and I haven’t seen it.
'tis on the main page 😉
https://www.garmin.com/en-GB/outage/
I wasn’t intending this to become a detailed analysis of Garmins response.
agreed - time to step away from the allegations of how good or not their systems are, the truth is unless you work in their IT/security team, we'll probably never know. One thing I do know however, is that I would not have wanted to have gotten that on call phone call!!
The last thing you want to hear at any IT area are any of the words 'hacked' ransomware' 'everything's down' or 'all my files are locked...' :O
I can sympathise with the guys at Garmin, I highly doubt they'll have had much sleep over the past few days.
I suppose they are a bit busy fixing stuff but I am surprised there hasn’t been an official announcement from Garmin. Unless there has been one and I haven’t seen it.
I have a (very) little bit of experience of how Comms teams plan for this sort of situation - it's something that should be in every organisation's crisis comms plan.
Absolute radio silence aside from a brief factual statement until more is known is one well-regarded approach, and one of several that should have been gamed out and refreshed at least once a year.
It is not the only approach, and it's not always the best, and there'll always be someone with 20:20 hindsight at the end of it. It will have been got to after a great deal of back and forth between Garmin's board of directors, investor relations team, CIO/CISO and teams, outside IR team and the Comms team themselves.
I have a (very) little bit of experience of how Comms teams plan for this sort of situation – it’s something that should be in every organisation’s crisis comms plan.
Agreed. I worked with a company in London who exist solely to war game this type of disaster with your comms people and train them to deal with social and traditional media. Let's hope Garmin give them a call as I believe they did an utterly piss poor job.
’tis on the main page 😉
https://www.garmin.com/en-GB/outage/
/blockquote>Fair enough but that is worse than useless. No time or date, no updates, no mention of user data concerns etc. Compare that to this - https://support.strava.com/hc/en-us/articles/360046805811?deviceType=79
I still think the communication has been poor.
Fair enough but that is worse than useless. No time or date, no updates, no mention of user data concerns etc.
I still think the communication has been poor.
User data concerns:
Was my data impacted as a result of the outage?
Garmin has no indication that this outage has affected your data, including activity, payment or other personal information.
Why would they give a date if they cannot guarantee that it'll be fixed by that time? That would do more damage than not giving a date.
See below
Absolute radio silence aside from a brief factual statement until more is known is one well-regarded approach, and one of several that should have been gamed out and refreshed at least once a year.
It is not the only approach, and it’s not always the best, and there’ll always be someone with 20:20 hindsight at the end of it. It will have been got to after a great deal of back and forth between Garmin’s board of directors, investor relations team, CIO/CISO and teams, outside IR team and the Comms team themselves.
What I am asking is why are users so willing to trust their data to a company that seemingly have poor defences/responses to cyber attacks
The seemingly poor response was to shut down when they suspected an attack, then fixed it. Of course all this is speculation as there’s been no confirmation of a cyber attack.
I think the communication was bad and while I didn't expect Garmin to give any definitive info while they were still investigating a more frequent "we're still working on it" would have been nice.
Let's not forget that their focus is going to be on their quarterly earnings on Wednesday and not on short term PR which will be all but forgotten by the average consumer within a few months.
There have been plenty of data breach cover ups but I don't think we can just assume Garmin is the same without evidence. You take a risk anytime you upload personal information and if you aren't comfortable with the risk of it being leaked then you shouldn't be using these platforms. Frankly compared to FlyGarmin being unusable and $10mil ransoms my extremely limited personal data is hardly worth the effort.
Let’s not forget that their focus is going to be on their quarterly earnings on Wednesday and not on short term PR which will be all but forgotten by the average consumer within a few months.
Yeah - I wonder if the timing was intentional on the part of the attackers. Certainly I don't envy the comms peeps at Garmin at the moment - they must be running on fumes along with their entire IS department by now.
Statement from Garmin at https://www.garmin.com/en-US/outage/
Garmin Ltd. was the victim of a cyber attack that encrypted some of our systems on July 23, 2020. As a result, many of our online services were interrupted including website functions, customer support, customer facing applications, and company communications. We immediately began to assess the nature of the attack and started remediation.
We have no indication that any customer data, including payment information from Garmin Pay, was accessed, lost or stolen. Additionally, the functionality of Garmin products was not affected, other than the ability to access online services. Affected systems are being restored and we expect to return to normal operation over the next few days.
As our affected systems are restored, we expect some delays as the backlog of information is being processed. We are grateful for our customers’ patience and understanding during this incident and look forward to continuing to provide the exceptional customer service and support that has been our hallmark and tradition.
From Sky News
Sources with knowledge of the Garmin incident who spoke to Sky News on the condition of anonymity said that the company - an American multinational which is publicly listed on the NASDAQ - did not directly make a payment to the hackers.
Doesn't surprise me that that didn't pay, they WILL have had resilient backups in place.
Edit: the unquoted sky bit seems to imply they paid via a third party. I still can't see it, as I say I fully expect them to have had backups etc in place. The wording "Affected systems are being restored" - that's restored, not recovered. You restore from backups, or a snapshot. You recover systems that have been lost.
It might not have even been a targeted attack as such, lots of ransomware encryption attacks start with just an randomly targeted email with a genuine looking .pdf file. Once opened on a system with access to the main servers, bob's your mothers brother. The 'hackers' don't even need access to the systems.
Anyway - tonight's run uploaded to Connect and Strava with no issues, and even my VO2 max has increased! It's taking a while to fully sync but everything seems back to roughly where it was.
I'm conscious of my online profile. I work in IT and security is *part* of my remit.
I don't give a shit what Garmin know about me. It's nothing in the scheme of things.
I can’t say much about it but can say it’s a large and complex recovery. Moral of the story is make sure you have really really good endpoint security and lots of good BIOCs on your alerting. There will be some info released today about it.
Issues with both watches this morn, wife's 4s needed factory reset as it never recorded any distance on her morning run, mine won't lock onto GPS to even start an activity...
Wonder if they've had to release some software overnight?
I've got a server down for maintenance message again.
Depending on how long this outage lasts, next time the scales sync they do seem to remember a few past readings – I know when I have had wifi issues previously more than just the latest weight reading uploaded.
All of the readings have now appeared for the days on which Garmin Connect was offline.
I am still having intermitted uploads.
Yesterdays 6am ride to work only uploaded at 14h30, still waiting for last night's ride home, as well as today ride in (I broke my AVG speed record in BTW)
Is my inability to load a course onto my head unit a symptom of this?
Plug the unit into a computer (or even iPad now) and copy your gpx into the folder ‘new files’
When you turn it on it’ll pick up the file and load it into courses.
Check before you leave though as some files seem not to play nice and there is nothing telling you it failed.
I find re-saving the gpx again using gpxbable or ViewRanger usually allows me to load ones that didn’t work
"Sources with knowledge of the Garmin incident who spoke to Sky News on the condition of anonymity said that the company – an American multinational which is publicly listed on the NASDAQ – did not directly make a payment to the hackers."
The word "directly" bothers me somewhat.
The word “directly” bothers me somewhat.
My understanding is that it is illegal for a US entity to pay any money to this group. Via a third party however......
Also, just want to say, its now coming up to one week, and services are still not fully restored/recovered.
So what's stopping them targeting them again now they know they're willing to pay.
Anyone else having issues this morning (09/08/20)?
I'm having slow loading, broken dashboard panels and empty calendars as well as the whole website going down; periodically it's working.
I hope that it's not about to go down again.
Mines fine.
It was unstable earlier but fine now.
Down again, I see.
Looks that way. I have the server maintenance notice back on the Connect App
Routine maintenance
or
‘another ten million please’?
It's all working OK for me.
Mines down as well.
Routine Maintenance again so appears to be down (may just be me of course).
Have they been hacked again or just overwhelmed by GB Bank Holiday activities?
Not just you, down for me too (and everyone else according to this https://connect.garmin.com/status/)
I’m getting server down. Their status page says a problem with one of their suppliers
Thanks for confirming you two. Brill
Down for me aswell today.Nothing uploaded from yesterday onwards.
Was working fine on Friday.