Garmin’s cyber-attack lesson: sprint don’t jog

Reading Time: 2 minutes

by Anna Szymanski

Athletes have little patience for slowness, especially when syncing their smartwatches. Garmin, the $19 billion wearables and GPS device maker, fell prey to a cyberattack just days before releasing second quarter earnings on Wednesday. It’s not the first or the biggest, but it leaves some useful lessons for future victims.

Garmin says perpetrators encrypted its systems, interfering with services like Garmin Connect, which uploads data, and an aviation product. But it said this on Monday – four days after acknowledging there was a glitch in its service. The company says it had “no indication” that data were accessed. Services have started limping back to life. Meanwhile, investors were little troubled. Garmin’s revenue for the second quarter fell only 9% year-on-year, far better than the 31% decline analysts were expecting, according to Refinitiv.

Legally speaking, there’s not much pressure to disclose during these attacks. Securities and contract law normally require the release of information, but not immediately. If sensitive data are compromised, then companies will have to contend with multiple privacy regimes, especially if there is a global user base, but, again, not until after a forensic analysis.

Yet what companies ought to do is a different question – and much depends on the kind of attack. Equifax, the credit-scoring firm that suffered a massive hack in 2017, was able to wait six weeks before revealing the incursion, since consumers were none the wiser. A user who can’t upload data on their 10-mile run knows something is up right away. Similarly, when high-profile users of Twitter including former Vice President Joe Biden were hacked this month, the social network had no time to ponder.

Popular blowback is a problem, and even more for Garmin than Twitter. Fitness-focused watches may be must-haves for competitive athletes, but the company’s share in the larger smartwatch game was a mere 8% in the first quarter versus Apple’s 56%. It can’t take its base for granted. Such firms end up in the unenviable position of scrambling to respond before knowing the extent of the damage.

Companies will learn by doing. Cyberattacks had already increased fivefold during the Covid-19 crisis through April, according to the World Health Organization; remote working creates more vulnerable entry points. There’s no winning this battle – but victims can at least try to be fleet of foot.


Once you're here...

%d bloggers like this: