Late in July, Garmin Connect services went down for the count, leaving some Garmin customers confused and frustrated. As reported by BleedingComputer, Garmin was the victim of a WastedLocker Ransomware attack, which resulted in the outage of not just Garmin Connect but other services including flyGarmin, Strava, and inReach solutions. All of these services were down for the better part of three days.
BleedingComputer also confirmed that Garmin may have paid the ransom in order to get the necessary decryption key to decrypt all the files on their servers that were effected by the ransomware. If this is indeed the case, it’s actually a pretty big deal. Garmin giving in and paying a ransom is more troubling that I think many realize.
Now, lots of other outlets have reported on the problems of ransomware attacks. Both Sky News and Wired have full reports on the Garmin story and talk about why the ransomware thing is potentially bad for other companies. The dire warnings of more ransomware attacks actually points to two problems with Garmin and other companies.
First, the need for disaster recovery solutions is now critical for services like Garmin. I’m very curious as to why Garmin couldn’t just wipe the servers, reload the software, and recover the data from backups. Such disaster recovery procedures would include offsite backups that couldn’t be targeted as part of the ransomware attack.
With proper offsite backups, Garmin could have potentially been back up and running within a day or so with a minimal loss in data. If they paid the ransom then this could be a telling sign that Garmin simply didn’t have any disaster recovery plans in place. Other companies should take heed and protect themselves should they become a target.
Second, the downtime highlighted an obvious flaw in the design of Garmin Connect: an over-reliance on cloud services. The fact that you can’t sync data to other services without first being directly connected to Garmin Connect is a serious flaw in the design.
Other companies like Wahoo don’t appear to have this problem. By comparison, the ELEMNT Companion app isn’t 100% reliant on Wahoo’s servers to work. Sure, if Wahoo’s servers go down, you can’t sync your rides from an ELEMNT bike computer to Wahoo…but you can still sync to other places like Strava, RideWithGPS, Dropbox, and more.
Now that services are back up, I’m sure most Garmin users will be complacent and will forget about the whole thing within a few weeks. But my guess is that there will be a chunk of users who won’t. Some will see all this as a sign and will likely jump ship and find better solutions. Garmin doesn’t exactly have a squeaky clean reputation and in many ways they are their own worst enemy. Time will tell on just how much of an impact the ransomware has had on Garmin and the rest of the industry. My hope is that it leads to the better design of these services.