Cyberattack: confidential BRP data available on the Internet

In all, nearly 30 gigabytes of data are available on the dark web (dark web), reports the non-profit organization HackFest, which works to raise awareness about computer hacking. Also according to HackFest, the RansomEXX ransomware is behind the cyberattack that hit BRP.

BRP has partially resumed its activities since August 15, after a week-long shutdown. The company, which has more than 20,000 employees across the world, gave very little information about the leak, saying at the time that it expected “the impact of this incident from the point of view of confidentiality of the data is limited”.

She also confirmed that the software that was used for the cyberattack entered the system through an external service provider.

Contacted by Radio-Canada on Tuesday evening, the company refused the interview request, stressing that it will respond later.

Lure of profits

The group behind RansomEXX executes its greed attacks, according to HackFest co-founder Patrick Mathieu. They scan the web for vulnerabilities, they don’t target a particular company, he explains. It could have been anyone SMEa multinational.

It is enormous. They [BRP] develop many products under patent. There are many chances that there are very confidential data, confidentiality clauses and others, which could be useful to their competitorssays Patrick Mathieu.

The leak has already attracted the attention of several Internet users. Tuesday evening, shortly before 9 p.m., almost 1,000 people had visited the RansomEXX page offering the BRP data.

RansomEXX is not its first misdeeds. In November 2020, the group notably hacked the Montreal metro.

For Patrick Mathieu, companies should take cybersecurity more seriously, since many of them are not ready to manage breaches.Like insurance, companies should invest more in security and secure the data of their customers and partners.

It costs them more to repair and secure after a breach than if they put security in place from day one. »

A quote from Patrick Mathieu, co-founder of HackFest

According to the Quebec government website, as of September 2022, businesses will have to inform data subjects in the event of a confidentiality incident that could cause them serious harm under Bill 25, formerly Bill 64.

Follow by Email