Customers don't need to be "allowed" to protect their data.
I promise you that several major companies have already been quietly breached and credentials stolen.
> credit cards, change passwords
Are already stolen, Garmin hack or not.
1. Your credit card number is public. Deal with fraudulent activity in the usual way.
2. Passwords should be unique. Non unique passwords are already stolen, and unique ones probably are. 2FA and suspicious login detection is what protects you.
I used 'allow' as in, "take into consideration", not "allowed to do something."
You're not wrong, but the huge difference is knowing about specific attacks versus constantly assuming your data is always compromised. Changing your password daily, and canceling your credit card for a new number daily, regardless of breach, is basically what you're suggesting.
Further, we still don't even know if it is in fact a hack, which is the point. If they simply came out and said that their production line got ransomware, but user databases were unaffected but taken offline as precaution, that would go a long way to suggesting what level of mitigation is necessary
Simply stepping up and admitting it at least allows their customers to take steps to protect their data, credit cards, change passwords, etc.