Thursday, 30 July 2020 By Freya Riddel Garmin is back online – after four days of angst, our exercise achievements will once more receive the kudos they deserve. Garmin is a global-tech company, known primarily for their GPS fitness-tracking services and wearables. This return to function follows an extended ‘outage’ of Garmin’s online services which has now been confirmed as a Ransomware attack. On 23 July 2020 Garmin’s services became unavailable – as millions of users across the globe tried to upload their fitness activity, they were greeted with a notification that Garmin was undertaking “service maintenance” and told to “Check back shortly”. On 26 July, the services were still unavailable and the U.S. company confirmed they had been victim to a cyber attack and at the time of the announcement, it had “no indication that any customer data, including payment information to Garmin pay, was accessed, lost or stolen.” The impact of this disruption extended beyond the lockdown-athlete’s 5km PB, and the Work-From-Home 10,000 steps per day; Garmin also provides GPS services to the automotive, marine and aviation industries. In fact, the flyGarmin navigation and route-planning database is a regulatory requirement for airplanes under the Federal Aviation Administration (FAA). The silence following the attack has not allayed concerns – how was the attack resolved - was a ransom paid? And if so, what are the ethical, legal, and economic consequences of that? What is the best practice response to an attack of this nature? The Attack Garmin joins the line-up of an increasing number of corporations targeted by cyber criminals for the purposes of extortion. Industry commentator BleepingComputer has identified the attack as Ransomware known as ‘WastedLocker’ associated with the cybercriminal group ‘Evil Corp’. The same group is said to have extracted over $100 million from hundreds of banks over the last 10 years, and its leader, Maksim Yakubets was indicted last year by the U.S. Justice Department for his role in the group’s “unimaginable” amount of cybercrime. What is Ransomware? Ransomware was discussed in our previous blog, following its use on the recent attack on Lion Breweries in Australia. It is malicious software which encrypts (effectively, ‘locks’) the victim’s data, restricting access until a ransom is paid. Another recent attack by Evil Corp targeted a number of major U.S. corporations, the group compromised a number of employee devices (by using fake software updates) before the attack was identified and blocked. The cyber security company, Symantec, who blocked the attack, warned that “successful attacks could have led to millions in damages, downtime, and a possible domino effect on supply chains”. The Impact Data Breaches are expensive. There is often a ransom, systems need to be repaired, new cyber security measures need to be implemented, and the downtime-losses caused by the attack itself will likely spread to third parties and supply chains. In this case, Garmin services were inoperable for four days, and the Garmin Taiwan factories were apparently forced into shutdown for two days. Atop all of this, are Regulatory fines and possible class actions if it is found that the organisation failed to adequately protect personal data. In Australia, the increasing incidence of data breaches (albeit not necessarily linked to cyber attacks) have led to, or at least align with, a growth in litigation appetite. Australia’s first privacy class action was brought against the NSW Ambulance Service, and the ACCC is pursuing a data misuse case against Google. Whilst these remain test cases in Australia, lessons from abroad illustrate a possible trajectory. In the UK, budget airline EasyJet is facing an £18 million class action filed on behalf of customers impacted by a data breach. The law firm representing the class members (PGMBM), observed that “…the exposure of details of individuals’ personal travel patterns may pose security risks to individuals and is a gross invasion of privacy”. Earlier this year, Equifax (the U.S. credit rating firm) was required to pay $380.5 million USD into a fund as part of a court settlement to compensate members of a class action affected by a data breach. The reputational damage caused by a cyber attack (and/or data breach) can also have a longer-term financial impact; for example, the first day of the Garmin outage saw a drop in its share price (although it has since stabilised). This reputational risk may drive a reluctance for the targeted company to speak openly about these attacks (and would account for Garmin’s relatively opaque communications to its users to date), however, to be silent limits the opportunity to share lessons learnt (about the methods employed by hackers), and limits the lay-understanding of cyber risks. The Lesson Whilst cyber attacks are becoming highly sophisticated and so too are the cyber security techniques used to detect and block them, some effective prevention controls remain strikingly simple. Phishing emails and software updates are often used as attackers target the weakest link in the cyber security chain: people. Employee training and advice relating to emails from unknown-senders, emails containing suspicious files as attachments, or emails containing a link purporting to be a user update are, therefore, integral defence mechanisms. The importance of robust and frequent security training becomes further enhanced in the new era of remote working, where employees working from home no longer have the same cultural cues found in an office setting. On an organisational risk-management level, businesses must invest adequately in their security measures as well as their rapid response plans for both the recovery of data, and the communication of breaches to regulatory bodies and customers. The GDPR, for example, imposes fines on companies who fail to notify the Information Commissioner’s Office of breaches within a specified time-frame, and as part of its ‘Notifiable Data Breaches’ legislation the Office of the Australian Information Commissioner (OAIC) requires an organisation to report a breach to both the individuals at risk and the OAIC when there are reasonable grounds to believe a breach has occurred. A further key lesson for any organisation which falls victim to a Ransomware attack is to seek legal advice and engage a Cybersecurity specialist. Some advantages of such expertise are: Prior to a ransom being paid, a Cybersecurity specialist may be in a position to advise whether the encryption is reversable (it would be a shame to expose yourself or your organisation to the legal risks of paying a ransom only to realise the files could never be retrieved); If a ransom is paid, the attackers are unlikely to decrypt files for you, and more likely to provide you with the key to do-it-yourself. Better to have someone with the relevant skills and experience than risk corrupting your files irreparably; and If a ransom is paid, it is more likely to be done so via the cyber security firm which may create some ‘legal distance’ between your organisation and the hacker. Conclusion Whilst the inability to view your run on an app perhaps does not warrant collective despair, especially in the current scheme of things, the effect had on flyGarmin does give some indication of the potential ramifications these attacks would have when targeted at industrial control systems and critical infrastructure. The impact of cyber attacks is vast, and yet the gravity of their threat remains poorly understood. The importance of appropriate protection and planning (and investment in such) cannot be overstated. As a silver lining, perhaps the attack on Garmin will serve as a tangible illustration of the importance of cyber security to a new demographic - and it’s a demographic who really do care about their personal stats and data.