Cyberattack | Trade secrets stolen from BRP

Documents that appear to be trade secrets containing strategic information, supplier evaluations and prices paid to subcontractors are among the files stolen from BRP during the cyberattack two weeks ago and now accessible on the hidden web (dark web).

Julien Arsenault
The Press

Hugo Joncas
The Press

In addition to personal information, such as copies of passports and residence visas, The Press was able to consult files that lift the veil on the orientations – some of which are very recent – ​​of the manufacturer of Ski-Doo, Sea-Doo and Can-Am.

Some of them contain a multitude of details on the procedures for selecting the supplier of a battery pack, a key component of an electric vehicle. A presentation from last February includes prices offered by potential partners, data on BRP’s needs and potential cost reductions over time based on volumes ordered.

“The battery is the most expensive part of the vehicle [et l’entreprise] represents the best option for all scenarios with a price lower than the estimated price”, can we read, about the targeted supplier, in the document whose The Press was able to find out.

As of Thursday afternoon, the company named in the presentation had not responded to questions from The Press.

In its most recent update on the cyberattack on Wednesday, the Quebec multinational based in Valcourt judged that the leaks about its suppliers were limited in “quantity and sensitivity”.

The cyberattack nevertheless allowed the dissemination of information that could prove useful for competitors.

The impacts are “significant”, according to Yan Cimon, professor in the management department of Laval University, even if he expects BRP to “weather through the storm”.

“Revealing prices, margins, estimated volumes, this can be a challenge for the company, he says. Competitors will have a better idea of ​​the cost structure and know how to position themselves. Among suppliers, if there are interesting agreements compared to industry averages, this will give bargaining power to competitors who will try to obtain savings from these same suppliers. »

A handful of the tens of thousands of files from the RansomExx ransomware operators tell more about the business relationship between BRP and its supplier regarding the battery pack. For example, a file mentions the potential amounts of purchases, the conditions of adjustment to the prices of raw materials and the currency used to make the payments.

“This is information that puts you at a competitive disadvantage,” said Mark Warner, a specialist in commercial law. If there is recent information (strategies, pricing), it is important. »

“Strategic” names

In other files scanned by The Press, a stolen document titled “Strategic Purchasing” lists 307 major suppliers, along with the value of the goods they procured to BRP, to the nearest dollar. The total sales mentioned exceed two billion.

These suppliers include many Quebec companies, including several manufacturers of plastic parts for BRP vehicles, such as Soucy International. Contacted by The Pressthe Drummondville company confirms that it was notified that its name appeared in stolen files.

“We received a generic letter,” said Soucy International spokesperson Joanie Mailhot. We have no idea of ​​the nature of the information disseminated. »

Also found in the stolen files is a presentation, several dozen pages long, about a suggested trajectory aimed at revamping and standardizing supply methods across the multinational. Some of the objectives are predictable: to achieve efficiencies and generate savings.

The Press was also able to observe that the confidential data of several component suppliers – snowmobile hoods, deflector brackets, etc. – were offered through dozens of technical drawing files. Small consolation for BRP: some details, such as room measurements, are missing.

What limit the damage in terms of engineering, according to the associate professor in the mechanical engineering department of Polytechnique Montreal Aurelian Vadean, who became aware of the content of certain files at our request.

“It’s less damaging, because there are no tolerance measures or indicators,” he explains. However, there are repercussions on the marketing side. The technical drawing of a cover can give an idea of ​​what part of the product will look like. It’s harmful, but less on the engineering side. »

In response to questions from The Press, BRP said it was “aware of the documents” posted online. The company did not comment further, reiterating that its investigation was “still ongoing” and that the “situation continues to evolve”.