More details of the attack on Garmin
It makes sense for Garmin to not give out details. The press on the other hand shouldn’t act like they are beholden to Garmin.
Yes, there have been lots of rumors and speculation but at least some of that is justified. Seems pretty clear that at least most of the company was taken out and what can do that is pretty limited. I mean, pretty easy to say what happened was not an update to the connect web site that went wrong. Even if Garmin had a single centralized server room that a lightning strike took out this wouldn’t be the result.
Just adding to your point, as totally agree with you
Strava seem to keep on top of the security options, but a lot of people just don’t use them, and not relying on single (point of failure) secutity feature is a good idea, set the privacy zones, set more than one close to your house, start your garmin away from your house (after a couple of junctions) just makes for good practice
Like the old one, break into a car, steal the GPS set course for home (as you know they are out), so don’t set home to be your exact home (send them to a neighbour you don’t like)
1 Like
Just a heads up regarding strava privacy zones, if you screw with your privacy zones where most of your rides start and end at home (regenerate, add more, etc) strava is going to recalc your entire ride history achievement and re-rank based on current segment leaderboards. I.e. every past ranking trophy in your ride feed will be permanently upgraded or downgraded based on CURRENT leaderboard rankings since you originally placed. I changed a privacy zone at home this earlier this year and found now that I scroll through my rides, lots of KOMs I’ve gotten that have since been beaten no longer show as KOMs, they’ve been refreshed to #2 trophies etc like the better rank never even happened. Strava really needs to figure out how to base leaderboard calculations on activity time because that one click move made my entire ride feed less satisfying to scroll through in terms of segment awards.
I live in a rural location so I’d need a pretty big privacy zone to make where I live less than a 1 in 10 chance of burglars finding my house 
But even Strava’s privacy zones don’t strip out the data about the start/end of your ride so if someone’s hacked Garmin they have access to that data. As @WombleHunter says, the only real way to avoid this is not to start recording your ride until near the edge of your privacy zone and stop it when you approach it.
Ironically I know folk who came off Strava after stravas initial security problems (the nicked bikes after geolocation seemed to be happening often) kept their ‘secure’ and private garmin account 
Still down and has there been nothing official from Garmin unless I missed it? Not good, hopefully the company gets through this,
1 Like
None of the laws require realtime updates from the company. Even GDPR which I’m sure is more strict then anything dealing with the stock market is 72 hours. And that is 72 hours from the point of knowing that the data was breached. (Its the data that’s important, not the computers) If this is just a ransomware attack and no data was exfiltrated then no 72 hour report needed. From everything I’ve seen it seems like just a ransomware attack so their systems are down because their files were encrypted which means no breach.
Yes, there is a chance the ransomware is covering the tracks of an attack against Garmin that was a data breach but that seems less likely. (If they were undetected and in Garmin’s network why take it all down and cut yourself off from that data?)
1 Like
That security problem was also from people telling strava what bike they rode. Made it easy to target high value bikes. Garmin has no idea what bike I ride. It was also easy to search for stuff near you. It wasn’t a big organized crime ring, more of an easy opportunity thing.
1 Like
And in a probably unrelated thing,just back from a ride and my Garmin locked up on saving the ride, so had to reset the device, so I really really really didn’t do that ride 
2 Likes
Apparently Garmin Pay is still running - so that’s not on their network.
Leaking of user data is a frequent threat in ransomware attacks.
1 Like
This was on our local news in Reno.
https://www.ktvn.com/clip/15106697/garmin-ransomware
You only need to look back at the Fancy Bears attack that led to the Jiffy bag scandal with Bradley Wiggins.
It’s absolutely possible that data has been encrypted and extracted but Garmin may not know yet if data has been stolen until they can gain access to logs. There is bound to be data relating to professional athletes in Garmin, that could contain all sorts of info if notes have been added to workouts etc.
I may well be wrong, but my understanding is a ransomware attack is a GDPR breach as you are no longer in control of the data.
The question is how many of their systems where shutdown to make sure it would not spread or have they been infected. In many attacks the backups have also been deleted. The longer it is down the worse position they must be in.
All unimportant to me. Just ask and I’ll tell you all that info and save you the trouble.
All real estate info is public record and easily found.
All race info with your name and where you live along with race pictures and your bikes are public records. I think to worry about that kind of info is wasted energy
6 Likes
Self confessed Data Protection nerd here - not that anyone asked but I started typing…
What the GDPR legislation addresses is risk to rights and freedoms relating to personal and sensitive personal data. Companies operating in those geographies where GDPR applies have certain requirements to ensure privacy and when breached act appropriately.
Personal data is data than be attributed or identify a legal person (i.e. they are not dead!). Sensitive personal data is dealt with more stringently under the legislation in terms of lawful basis for processing (i.e. why is it necessary to collect it?). Health data is classed as sensitive, so it would be safe to assume power and HR comes under this category. Pretty much everything else is either personal or not covered under data protection legislation.
If there turns out to be a wholesale grab of personal data and a genuine risk to individuals then Garmin not only are they having to report the breach to governance entities in a given country (companies who represent nationals in protecting their data rights , the ICO in the UK), they are going to need to inform the individuals too.
Worse case for Garmin could be massive in terms of fines and remedial action, given the number of users and nature of the data they will hold. The nature of the fine depends on what specific parts of the GDPR are breached.
4 Likes
even if they don’t have definitive answers, they should at least post regular updates via social media. I was a big fan of the ecosystem, but it’s showing it’s cracks now - an over-reliance on Internet, for devices that are used outdoors, is just a bad design…
2 Likes
I sympathize with everything that garmin is going through. I realize it must be a very stressful and difficult time for their staff, made worse by the current remote working situation.
What I don’t really understand is the complete lack of communication. No updates, no info to their users, just complete radio silence. We’re getting more info from some of their partner platforms. I realize they are dealing with a serious situation, but how hard is it to provide a basic info update to users?
2 Likes