I got a new mobile phone and was going through the setup. On top of numerous Android updates, I had to reset a number of applications back up. While it’s a pain, I also appreciate from a security standpoint that moving access to my data and sites to a new device could be an issue. One of the applications I was trying to set up was Garmin Connect, as I track my exercise, heart rate, and more on my watch. When I first tried this, I got a 404 in the app, which was strange.
Apparently Garmin was having issues. They had a large outage. The next day I saw that article, and while I could get to the main Garmin site and log in, I couldn’t get a new install of the app to connect on my phone, and I couldn’t get access to any of my workout data. Even old data, apparently isn’t on my phone, as I thought. It’s being read from the cloud. That’s disconcerting, though I record my data separately at MapMyRun, so I’m not overly worried. I even found a procedure and tested it for saving my data locally.
Over the weekend after this happened, I didn’t do much, but as of the Monday after the attack, the Verge reported that some data was visible and sync was working. Not for me, but for someone. That’s good, and Garmin has a touch of information about the outage, saying they expect devices to begin syncing at some point. Mine didn’t that day, but did a day or two later.
This is interesting as an attack because it’s not just the company’s own internal data, but also their customers’ data. I don’t know if that was the intention, but what better way to put pressure on a company that take away their customers’ data. I don’t know that this would make them respond differently than losing their internal data, but it likely would be more public. It also might put more pressure on them to pay some ransom.
Ultimately, this is an area that I think the GDPR started to help, but allowing customers to access copies of their data, as well as have rights over how it is used. I think having the right to not only get a copy of my data, but a regular backup is something I think should be required of organizations that collect information about me. Likely there might need to be a charge, but perhaps some regulation about what is reasonable and how this data should be available is a something else that might need some regulatory boundaries.