Garmin’s cyber-attack lesson: sprint don’t jog
Athletes have little patience for slowness, especially when syncing their smartwatches. Garmin, the $19 billion wearables and GPS device maker, fell prey to a cyberattack just days before releasing second quarter earnings on Wednesday. It’s not the first
Garmin says perpetrators encrypted its systems, interfering with services like Garmin Connect, which uploads data, and an aviation
product. But it said this on Monday – four days after acknowledging there was a glitch in its service. The company says it had “no indication” that data were accessed. Services have started limping back to life. Meanwhile, investors were little troubled. Garmin’s
revenue for the second quarter fell only 9% year-on-year, far better than the 31% decline analysts were expecting, according to Refinitiv.
Legally speaking, there’s not much pressure to disclose during these attacks. Securities and contract law normally require the release of information, but not immediately. If sensitive data are compromised, then companies will have to contend with multiple privacy regimes, especially if there is a global user base, but, again, not until after a forensic analysis.
Yet what companies ought to do is a different question – and much depends on the kind of attack. Equifax, the credit-scoring firm that suffered a massive hack in 2017, was able to wait six weeks before revealing the incursion, since consumers were none the wiser. A user who can’t upload data on their 10-mile run knows something is up right away. Similarly, when high-profile users of Twitter including former Vice President Joe Biden were hacked this month, the social network had no time to ponder.