Posted at 8:00 p.m.
Personal information about executives, details of agreements with suppliers, as well as confidentiality agreements are among the information stolen from the manufacturer of recreational products BRP following the cyberattack that occurred two weeks ago. Anyone can now access this information on the dark web (dark web).
According to information released Tuesday by the operators of RansomExx ransomware, around 30 gigabytes of documents – several tens of thousands of files – were stolen. Among other things, there are copies of passports, temporary residence visas and curriculum vitae. Files that contain details of contracts with suppliers as well as confidentiality agreements signed with companies such as Briggs & Stratton have also been posted online.
“It’s still a good amount of data,” said Stephane Auger, vice-president at Équipe Microfix, specializing in information technology, pointing out that most of the files were of “small size”. (Word, Excel, PDF documents, etc.).
The personal data of at least four people identified as executives within the manufacturer of Ski-Doo, Sea-Doo and Can-Am have been compromised. Two have left the company, according to their LinkedIn profile. The others are still employees of the multinational.
“You will understand that I will not comment, but I am very well supervised by BRP, that’s all I can tell you,” replied one of the two executives when reached by telephone by The Presswithout specifying whether he was aware of the dissemination of an image of his passport.
No customers
Last week, the Valcourt-based multinational, which has more than 20,000 employees and 11 factories in six countries, limited itself to saying that its investigation was “still ongoing” and that it had “no evidence that the personal information of its customers would have been affected”.
There was not a word about the information of his employees.
“What bothers me most about the list of stolen files is passport data, driver’s license data,” Auger said, adding that this could open the door to identity theft.
In the list of stolen files, the expert also spotted resumes – around twenty – some of which date back to the early 2000s. There are risks even for these people, believes Mr. Auger.
By late Tuesday afternoon, BRP said “the few employees who may have been affected by the incident” had been “personally contacted” by the company.
“The appropriate resources have been made available to them,” wrote a spokesperson, Mélanie Montplaisir, without giving further details.
RansomExx found itself in the spotlight in 2020 after amid high-profile cyberattacks targeting government agencies and other private companies. Typically, the group behind the ransomware releases the stolen data to their victims when they refuse to pay a sum of money.
Restarting
No company representative has given an interview since the cyberattack. The most recent update dates back to August 15, when the company announced the restart of four sites, including that of Valcourt. The resumption of activities was to follow in the other factories.
“The vast majority of production activities have resumed according to our plan,” wrote Mr.me Montplaisir.
This cyberattack against one of the largest multinationals comes as new provisions at the Act respecting the protection of personal information in the private sector in Quebec will come into force in one month.
As of September 22, there will be an obligation to disclose information leaks to the Commission d’accès à l’information du Québec and to the persons concerned.
Despite the disruption caused by the cyberattack, BRP claims there will be no impact on its fiscal year guidance. Investor confidence does not appear to have been shaken. On the Toronto Stock Exchange on Tuesday, the stock closed at $100.49, up 27 cents, or 0.27%.
With the collaboration of Hugo Joncas, The Press