cyber attack | Trade secrets stolen from BRP

Documents appearing to be trade secrets containing strategic information, supplier ratings and prices paid to subcontractors are among the files stolen from BRP during the cyber attack two weeks ago, which are now accessible on the hidden web (dark web).

Posted at 5:00 am

Julian Arsenal

Julian Arsenal
The press

Hugo Joncas

Hugo Joncas
The press

In addition to personal data, such as copies of passports and residence visas, The press was able to consult files that lifted the veil on the – sometimes very new – orientations of the manufacturers of Ski-Doo, Sea-Doo and Can-Am.

Some of them provide a great deal of detail on the procedures for selecting the supplier of a battery pack, a key component of an electric vehicle. A presentation last February included pricing offers from potential partners, data on BRP’s needs and potential cost reductions over time based on quantities ordered.

“The battery is the most expensive part of the vehicle [et l’entreprise] represents the best option for all scenarios with a lower price than the estimated price,” we can read about the targeted supplier in its document The press could tell.

As of Thursday afternoon, the company named in the presentation had not responded to questions from The press.

In its latest update on the cyber attack on Wednesday, the Valcourt-based Quebec multinational ruled that the leaks about its suppliers were limited in “quantity and sensitivity”.

The cyberattack nevertheless allowed the dissemination of information that could prove useful to competitors.

The impact is “significant,” according to Yan Cimon, a professor in the management department at Laval University, although he expects BRP “to weather the storm.”

“Disclosing prices, margins and estimated volumes can be challenging for the company,” he says. Competitors will have a better idea of ​​the cost structure and how to position themselves. When there are interesting agreements among suppliers compared to the industry average, this gives bargaining power to competitors, who will seek savings from the same suppliers. »


The Valcourt plant is one of the sites that has been temporarily closed due to the cyber attack.

A handful of RansomExx ransomware operators’ tens of thousands of files reveal more about the business relationship between BRP and its supplier regarding the battery pack. For example, one file mentions the potential purchase amounts, the conditions for adjusting raw material prices, and the currency used for payments.

“That’s information that puts you at a competitive disadvantage,” said Mark Warner, a commercial law specialist. If there is up-to-date information (strategies, pricing), this is important. »

“Strategic” names

In other files parsed by The press, a stolen document titled “Strategic Purchasing” lists 307 key suppliers, along with the value, to the nearest dollar, of the goods they procured from BRP. The total turnover mentioned exceeds two billion.

These suppliers include many Quebec companies, including several manufacturers of plastic parts for BRP vehicles, such as Soucy International. Contacted by The pressthe Drummondville company confirms that they have been informed that their name appears in stolen files.

“We have received a general letter,” said Joanie Mailhot, spokeswoman for Soucy International. We have no idea of ​​the nature of the information being disseminated. »

Also included in the stolen files is a dozens of pages long presentation of a proposed path that aims to overhaul and standardize delivery methods across the multinational. Some of the goals are predictable: efficiency gains and savings.

The press was also able to observe that the confidential data of several component suppliers – snowmobile hoods, wind deflector brackets, etc. – were offered through dozens of technical drawing files. Small consolation for BRP: Some details, such as room dimensions, are missing.

What should limit the damage from a technical point of view, according to the associate professor at the Faculty of Mechanical Engineering at the Polytechnique Montreal Aurelian Vadean, who became aware of the content of certain files in response to our request.

“It’s less harmful because there are no tolerance measures or indicators,” he explains. However, there are implications on the marketing side. The technical drawing of a cover can give an idea of ​​what a part of the product will look like. It’s harmful, but less so on the technical side. »

In response to questions from The press, BRP said it was “aware of documents posted online.” The company declined to comment, repeating that its investigation was “ongoing” and that the “situation is evolving.”

Learn more

  • 20,000
    This is BRP’s global workforce. The company operates 11 factories in six countries.

    Source: brp

Leave a Comment