In total, about 30 gigabytes of data are available on the invisible network (darknet), according to the non-profit organization HackFest, which works to raise awareness of companies about hacking. Also according to HackFest, RansomEXX ransomware is behind the cyberattack that hit BRP.
BRP partially resumed operations from August 15 after a week-long downtime. The company, which has more than 20,000 employees worldwide, provided very little information about the breach, saying at the time that it expected “the data privacy impact of this incident is limited.”
She also confirmed that the software used for the cyberattack entered the system through an external service provider.
Radio-Canada contacted him Tuesday evening and declined his interview request, stressing that he would respond later.
According to HackFest co-founder Patrick Mathieu, the group behind RansomEXX is conducting greed attacks. They scan the network for vulnerabilities, they don’t target a specific company, he explains. It could be anyone, SMEmultinational.
It’s huge. They are [BRP] develop many patent products. There are many chances that there are highly sensitive data, privacy clauses and others that could be useful to their competitors.Patrick Mathieu says
The leak has already attracted the attention of several Internet users. On Tuesday evening, just before 9 pm, nearly 1,000 people visited the RansomEXX page offering BRP data.
RansomEXX does not commit first offenses. In November 2020, the group hacked into the Montreal subway.
Patrick Mathieu believes that companies should take cybersecurity more seriously as many of them are not prepared to manage violations.As in insurance, companies need to invest more in the security and protection of their customers’ and partners’ data.
” It costs them more to repair and protect after a break-in than if they installed security from day one. »
— Quote from Patrick Mathieu, co-founder of HackFest
According to the Quebec government website, from September 2022, businesses will have to inform data subjects in the event of a privacy incident that could cause them serious harm according to Bill 25, formerly Bill 64.