Jul 29, 2020 - Technology

Fitness tech company Garmin confirms ransomware attack

The Garmin logo on a storefront.

Photo: Sergei Mikhailichenko/SOPA Images/LightRocket via Getty Images

Garmin, a major fitness tech company that tracks many users’ workout routines and GPS coordinates, was the victim of a ransomware attack, the company confirmed Monday.

The big picture: The attack, first reported by TechCrunch, froze “the company’s online services for millions of users, including Garmin Connect, which syncs user activity and data to the cloud and other devices.” Garmin’s “aviation navigation and route-planning service” was also affected, says TechCrunch.

  • The ransomware used in the attack, known as WastedLocker, is associated with Evil Corp, a notorious Russian cyber crime group whose leaders were sanctioned by the Treasury Department in 2019.
  • “We have no indication that any customer data, including payment information ... was accessed, lost or stolen,” Garmin wrote in its statement Monday.

Our thought bubble: Although it’s heartening that Garmin claims no data was exfiltrated during the ransomware attack, a Russian hacker group gaining access to millions of users’ workout and travel data should serve as yet another wake-up call to the dangers of commercial tracking data.

Why it matters: Among the millions of users whose data was frozen, it is a safe bet that more than a few were U.S. military and intelligence operatives.

Fitness apps have proven vulnerabilities.

  • In 2018, data leakage from the Strava fitness app revealed the location of secret U.S. military bases abroad.
  • “Pattern of life” analysis is a critical tool in 21st century intelligence operations, and information contained in a seemingly innocuous fitness tracker can offer gold mines to a foreign intelligence service.
  • While the Garmin breach may have ended without mass data leakage, the next major fitness tracking company to be hacked may not be so lucky.
Go deeper