Garmin is in a unique position with their ransomware incident. They are both a manufacturer AND hold regulated data. The value of their devices is directly tied to the availability of their apps and the personal data they hold.

I don't see that Garmin has a choice but to pay. 1/

The fact that a single incident seems to have taken down their data service AND their manufacturing indicates very loose trusts or very flat networks. Neither is good from a security perspective, but I'm also confident that either will be quickly corrected, no big deal to me. 2/

What IS a big deal to me is my personal data. Many ransomware groups exfiltrate data before encrypting and demand extortion payments from victims, lest they release this data. That's almost certainly the case here.

If Garmin refuses to pay, I don't see things going well. 3/

There are two issues with the data: confidentiality and availability. On the availability side, their products are almost expensive paperweights without the Garmin back-end. On the confidentiality side, @HeatherMahalik and @iamevltwin showed what you can do with fitness data. 4/

Oh, and location data. OMG location data.

Honestly, how many customers does Garmin keep if customer data goes public? This isn't just step counts, higher end devices have all sorts of features including heart rate monitoring and GPS route tracking. Awesome devices (usually). 5/

I say this as a @GarminFitness customer of many years: if my data goes public or remains unavailable because they don't pay, I'll be evaluating my options with other fitness device providers.

I abhor ransomware, but it's a business decision. I hope they make the right one. /FIN