This would just be an inconvenience, but according to the media sources I've read, Garmin also provides GPS services to airlines, the most current version of which the FAA requires an airline to use in order to fly. Garmin also has a pilot scheduling software product that airlines use. A friend just texted me that he'd heard the hackers are asking for a $10 million ransom. But that's just hearsay.
I never log on, connect or upload to Garmin, just direct from watch to laptop then manual upload to Strava. Plus I never start and stop it near the house anyway.
Wet Coast wrote:
If they were hacked and data was compromised then by law they have to make that news public. The damage is reputational to them of course.
Their head office is near Kansas City.
There is no federal oversight, however, there are common laws agreed to across all states that are implemented per state and territory.
Breach Notifications:
All 50 states plus the District of Columbia, Puerto Rico, Guam, and the Virgin Islands have implemented rules requiring notification to individuals when their personal information (PI) has been compromised.
Kansas has a minimum threshold of 1000 people affected:
Kansas
Kansas state flag
In 2012 Kansas passed a statute regarding brief notifications, and how any entity collecting consumer information must do so in the event of a breach.
If the breach affects 1,000 consumers or more, it is necessary to contact all consumer reporting agencies across the US of “the timing, distribution, and content” of the notifications.
I am not sure if Garmin stores all data in another state or country, the reporting laws are different and this one doesn't apply.
You can see if you want where your profile or info is on what sites that have been breached at the website: Have I been PWND.
https://haveibeenpwned.com/Not if, but when.
I've worked in this area.
Which breach notification law applies depends on where the affected individuals reside, not where the company is headquartered. So, Garmin has to worry about whether a breach has occurred by the definition of every jurisdiction in which they have customers.
Now...just because a company has been hacked does not mean a breach, as defined by a state's breach notification law, has happened.
For example, I live in Virginia. Garmin would have to notify me if there was an exposure of a) my first initial and last name or first and last name combined with b) my social security number, drivers license number, financial account information, military ID number, or passport number.
Garmin has my name, but not as far as I can remember any of that other information. So....even if my name was exposed, or my running routes, or my email address, Garmin does not need to notify me.
Most states have similar definitions of PI - some combination of name and numerical or financial information. If you want to have fun, here's one chart of the various notification laws in the US.
https://www.perkinscoie.com/images/content/2/3/v3/234941/Security-Breach-Notification-Law-Chart-06.22.2020.pdfIn Europe, under the GDPR, there is a broader definition of "personal data". And notification is required if the data is destroyed, accessed, altered.
But....if all the personal information has been encrypted, and Garmin has no reason to believe that it has been exposed, stolen, or destroyed, then there's no notification requirement. The fact that Garmin is down does not in itself constitute a notifiable breach under any law that I am aware of (it's been a few years since I worked in this area).
Also worth noting...if there was a notifiable breach, the notification takes a LOT of time, and cannot be instant. In the US, each state has its own requirements around the form of the communication - how it is sent, what is stated in it, etc. And some states require that the attorney general or similar review and approve the notification before it is sent out.
And once you've got all those notifications drafted and approved, you still have to get them sent out. Which is a massive amount of work when you have many many users (there are vendors who specialize in doing the mass mailing for you, and tracking returns, as well as maintaining a call center to field questions).
Garmin just put up a brief update:
darkwave wrote:
In Europe, under the GDPR, there is a broader definition of "personal data". And notification is required if the data is destroyed, accessed, altered.
But....if all the personal information has been encrypted, and Garmin has no reason to believe that it has been exposed, stolen, or destroyed, then there's no notification requirement.
Also worth noting...if there was a notifiable breach, the notification takes a LOT of time, and cannot be instant. In the US, each state has its own requirements around the form of the communication - how it is sent, what is stated in it, etc. And some states require that the attorney general or similar review and approve the notification before it is sent out.
And once you've got all those notifications drafted and approved, you still have to get them sent out. Which is a massive amount of work when you have many many users (there are vendors who specialize in doing the mass mailing for you, and tracking returns, as well as maintaining a call center to field questions).
I'd add that if all your data is encrypted, it's difficult to know who your customers are that need notifying!
so far everything I'm reading indicates it was a ransomware attack and then Garmin took some additional services offline to stop it from spreading. while a ransomware attack can also include a data breach have not seen any evidence of it yet.
If the data was stored securely merely having access to it does not mean you're able to get in the clear information.
ow82jwgw7 wrote:
so far everything I'm reading indicates it was a ransomware attack and then Garmin took some additional services offline to stop it from spreading. while a ransomware attack can also include a data breach have not seen any evidence of it yet.
If the data was stored securely merely having access to it does not mean you're able to get in the clear information.
Finally someone who understands how this stuff works. Just because the attackers got access to a server doesn't mean that they had access to the database server that was running on the server they accessed. It is highly likely that no data was lost/compromised.
That being said, sometimes ransomware attacks are done in an attempt to cover up a more nefarious activity that was committed by the attackers.
There are a number of reasons things could be taking awhile to get back online.
1. One of the more likely reasons is that the sheer amount of data that they are potentially trying to restore from backups is a scale that is difficult for us to think about.
2. They are still in the process of trying to figure out what all was compromised. Like I mentioned above, stuff like this is sometimes done as a smoke screen of sorts in an attempt to cover up something more nefarious.
3. A combination of the above and who knows what else.
If their engineers did their jobs right we will have access to our data again soon and we won't have to worry about our data being compromised. If they didn't, well, shame on them.
What interests me most is how interconnected Garmin must be for their call centres and productions lines to be unable to work. I worked in IT until about fifteen years ago - in servers in fact - but never saw this level of integration. It was coming though as the medium-sized organisation I worked for 8-10 years ago was replacing its phone system with VoIP. I can imagine production lines are demand-operated.
Of course this is downside of lowering costs by integrating everything and making it even more efficient. It becomes very vulnerable to an IT attack.
I seem to remember that prior to 9-11, the major bank I was working for had been consolidating all their buildings and staff into single locations to reduce costs but after it, they realised they were creating a Single Point of Failure and went back to more locations around the world.
trackislife12 wrote:
Wow, you’re really protecting yourself with a fake birthday! Hackers can’t find that information anywhere else, great job!!!!!
Thanks, bro. My credit file occasionally confuses me with a 99 year old dead guy (seriously). I also once got a call from a bank about a delinquent loan I didn’t have. My Garmin account info is throwing off more than just your average hackers apparently.
It's funny that companies often hound users to change their password every X week or use a stronger password....then their entire system ends up getting hacked.
It IS possible to give fake results if you managed to steal someone else's watch and upload the .FIT file from there watch to yours. BUT...today while manually uploading my FIT file I accidentally selected yesterday's file and strava gave me an error of a duplicate activity. So there is a unique identifier that Strava associates with each activity to check for duplicates. Not sure if it's only for duplicates on the same account or if it checks for duplicates across all users. It would take an immense amount of storage to store a hash of every single user's activity upload, literally millions of new entries a day. So I suspect that it is only duplicates for the same user that get flagged.
Rex Hudler wrote:
lwood wrote:
Seems like there would be a lot of people giving fake results?
Eh, if anyone actually pays for a virtual race, I don't think they can complain.
All it takes is ONE idiot clicking an ad to install some software or following the link in a cleverly crafted email for the entire system to be compromised. It comes down to security as well. Your individual laptops should be setup so that programs cannot just be installed by clicking on an ad. Mac OS does a good job of preventing stuff like that form occurring. I bet the machine that led to the system being compromised was a Windows machine.
snowman212 wrote:
It's funny that companies often hound users to change their password every X week or use a stronger password....then their entire system ends up getting hacked.
Uhhh wrote:
What interests me most is how interconnected Garmin must be for their call centres and productions lines to be unable to work. I worked in IT until about fifteen years ago - in servers in fact - but never saw this level of integration. It was coming though as the medium-sized organisation I worked for 8-10 years ago was replacing its phone system with VoIP. I can imagine production lines are demand-operated.
Of course this is downside of lowering costs by integrating everything and making it even more efficient. It becomes very vulnerable to an IT attack.
I seem to remember that prior to 9-11, the major bank I was working for had been consolidating all their buildings and staff into single locations to reduce costs but after it, they realised they were creating a Single Point of Failure and went back to more locations around the world.
It is very unlikely that everything is integrated and was taken down in a single attack. It is much more likely that a sysadmin's credentials were acquired via a phishing attack or social engineering.
Most large companies have a preset plan in place to deal with these types of things. In these types of scenarios a common plan is to take down any system that person had access to and verify that it wasn't compromised before bringing it back online. This can just take some time.
Again, I have no clue if this is what happened or is what is going on at Garmin, just speaking in generalities based on my experience in the industry.
Even still you would expect company computers to have some kind of antivirus that would stop it. M
bartholomew_maxwell wrote:
All it takes is ONE idiot clicking an ad to install some software or following the link in a cleverly crafted email for the entire system to be compromised.
It comes down to security as well. Your individual laptops should be setup so that programs cannot just be installed by clicking on an ad. Mac OS does a good job of preventing stuff like that form occurring. I bet the machine that led to the system being compromised was a Windows machine.
snowman212 wrote:
It's funny that companies often hound users to change their password every X week or use a stronger password....then their entire system ends up getting hacked.
Indeed - one idiot.
Reading around on this stuff, I saw a story about how the IT people at one company send emails with dodgy links to the staff as training. 80% of the executives were clicking on the links.
Also the organisation I joined about a decade ago had a block on USB ports to stop people bringing in infected sticks. You could bring stuff in and get the IT dept to plug it into a sandbox to check there was nothing dodgy on it. Apparently though they got told to re-enable all the USB ports because the CEO was frustrated that he couldn't use it.
WIthout wanting to go too far offtrack, it's like Hilary and the personal email server.
That's the problem in many organisations. The people at the top are as big of a liability as anyone.
bennyyyv wrote:
Even still you would expect company computers to have some kind of antivirus that would stop it. M
It was probably a phishing attack. You click on a link in an email that looks like it is from a legit place. It takes you to a website that looks like the legit place. You enter your username and password. They capture your password.
Antivirus software really can't prevent this. It doesn't even have to happen on your company computer or with your company email address, since so many people reuse passwords.
This is why two factor authentication is so important. It easily mitigates the risk here. Again, just speculating.
Uhhh wrote:
Indeed - one idiot.
Reading around on this stuff, I saw a story about how the IT people at one company send emails with dodgy links to the staff as training. 80% of the executives were clicking on the links.
Training and education are one of the really important ways to prevent these types of attacks. The company I work for frequently sends out emails that are fake phishing attempts. We are trained to forward any email that looks suspicious to us to a specific department to be analyzed. We are rewarded when we correctly forward on the fake phishing attempts to this department.
The company I work for does this. If you fail you have to go through a training course lol.
Uhhh wrote:
Reading around on this stuff, I saw a story about how the IT people at one company send emails with dodgy links to the staff as training. 80% of the executives were clicking on the links.
.
Yeah AV software is useless once the attacker gets admin credentials. They can just turn it off or adjust the rule sets to whitelist whatever evil domain they want to serve the attack from.
mdubs wrote:
bennyyyv wrote:
Even still you would expect company computers to have some kind of antivirus that would stop it. M
It was probably a phishing attack. You click on a link in an email that looks like it is from a legit place. It takes you to a website that looks like the legit place. You enter your username and password. They capture your password.
Antivirus software really can't prevent this. It doesn't even have to happen on your company computer or with your company email address, since so many people reuse passwords.
This is why two factor authentication is so important. It easily mitigates the risk here. Again, just speculating.
It seems to impact more than just uploaded data. I have a Fenix6 and during last nights run it showed pace correctly but was stuck at 0.00 miles the entire run. Prior to last night this device was rock solid at locking onto satellites and tracking distance. Perhaps this is a coincidence but if you can’t use an $800 device on a standalone basis I agree with others and my loyalty to Garmin may be over. This morning I’m headed out on a bike ride, I hope my bike radar still detects cars