Garmin is back online after US$10 million extortion
It’s been a horror few days for Garmin.
Early on Thursday morning (UTC) the fitness tracking company was hit with a wide-ranging outage that shut down the company’s website, halted production, prevented email, phone or chat support, and stopped activity uploads.
For four days that issue continued. Now, Garmin says the issue has been resolved. The company’s website and Garmin Connect services are online again, and activities are beginning to sync – a fact that will be of some comfort for the millions of Garmin users worldwide who were unable to get any analytics or kudos for their runs and rides over the weekend. Garmin says that it may take some days for normal operation to resume, with the Garmin Connect status page presently showing a mix of ‘online’ and ‘limited’ statuses.
The breach affected not just activity tracking but also services in the company’s automotive, marine, and aviation divisions – such as flyGarmin, a service used by pilots, and Garmin Pilot Apps, which is used for flight plan filing. CyclingTips understands that these functionalities are also in the process of being restored.
Garmin’s communication throughout the ordeal has been fairly opaque – until today, the company referred to the issue in external communications only as an “outage” or “maintenance”. However, anonymous sources within the company revealed to tech websites that the company was the victim of a ransomware attack executed with the WastedLocker software, developed by the Russian Evil Corp criminal hacker group. The price of the ransom was reported to be US$10 million.
Four days after the attack, Garmin released its first formal statement acknowledging it was the victim of a cyber attack, saying:
Garmin today announced it was the victim of a cyber attack that encrypted some of our systems on July 23, 2020. As a result, many of our online services were interrupted including website functions, customer support, customer facing applications, and company communications. We immediately began to assess the nature of the attack and started remediation. We have no indication that any customer data, including payment information from Garmin Pay™, was accessed, lost or stolen. Additionally, the functionality of Garmin products was not affected, other than the ability to access online services.
Affected systems are being restored and we expect to return to normal operation over the next few days. We do not expect any material impact to our operations or financial results because of this outage. As our affected systems are restored, we expect some delays as the backlog of information is being processed. We are grateful for our customers’ patience and understanding during this incident and look forward to continuing to provide the exceptional customer service and support that has been our hallmark and tradition.
Evil Corp – the source of the hack – was sanctioned by the US Treasury in December, which means it would be illegal for Garmin to have paid them the ransom. However, Sky News reported that Garmin “obtained the decryption key to recover its computer files”.
Sources for the Sky story claim that the company did not make a direct payment to the hackers. A payment through a third party, however, could also be subject to Treasury sanctions, which state that “Foreign persons may be subject to secondary sanctions for knowingly facilitating a significant transaction or transactions with these designated persons.” Forbes, meanwhile, speculates that the payment of the ransom could be written off by Garmin as a tax-deductible business expense.
Over the past days, CyclingTips contacted Garmin with a number of specific questions. Among them were enquiries about the scale of the outage, and whether it impacted sister companies including Tacx. Garmin did not respond to these questions.
A follow-up from CyclingTips enquired how Garmin overcame the ransomware attack – including whether Garmin paid the hackers the ransom, either directly or through a third party, or whether the company was able to restore functionality independently by restoring from backup. Garmin declined further comment beyond the statement provided above.