This August 9th, BRP announced that their computer systems had become the target of a malicious cyber attack crippling their operations on Monday, August 8th, 2022. At the time we really didn’t think anything of this notice; we figured it was a public company disclosing per regulatory requirements etc. We also figured that, like everybody else, that BRP was a “big enough company” that they “surely” had this under control… Well, that might not be the case!
Per the initial report on the 9th, all BRP related powersport business was halted while they “took immediate measures to contain the situation” and had “retained the services of cybersecurity experts to assist”. While they didn’t say this publicly, I (Big Z) come from the IT world, and that verbiage is code for, “We go hacked and our systems have been infected with ransomware!” (our words, not BRP’s). This delay in business activity immediately created delays with order processing and shipments to customers and dealers.
On Auguest 15th, BRP wrote that they were resuming operations and that “…BRP manufacturing sites in Valcourt (Canada), Rovaniemi (Finland), Sturtevant (USA) and Gunskirchen (Austria) are ramping up production activities and expect to be fully operational on August 16, 2022. The rest of the production sites are planning to resume operations over the course of the week in a phased approach.” This was a good sign as it inferred that those locations were not affected by the cyber attack. The press release mentioned that the ongoing effort to restore affected systems was continuing and that they were, “working to restore all internal systems from its back-up repositories” and that “the malware infiltration came through a third-party service provider”, indicating that they had identified the source of the infection and were readily restoring functionality… but we kept hearing that parts and orders were continuing to be delayed to service shops and customers.
This last Tuesday, BRP announced that they had become aware that, “information on certain employees and suppliers accessed by an unauthorized third party has been leaked on the dark web.” They mentioned that they had already contacted the affected employees and were providing credit monitoring services. BRP continued by saying that the company, “believes that the compromised information relating to certain of its suppliers is limited in quantity and sensitivity, and is in the process of contacting them.” They did not mention what details were accessed, but having employee’s sensitive information and supplier data compromised through a third party service sure sounds like an ERP software like Salesforce, SAP, or the like.
Yesterday, BRP announced that, “additional employee information has been compromised, specifically certain credentials of employees using BRP computers for personal use.” meaning that those that were using their work computers for personal use (social media, etc.) may have had their accounts compromised as well. BRP reaffirms that they do not believe any additional sensitive data from their customers and suppliers has been released, but were extending credit monitoring services to all of their employees. They wrap up saying they are working to, “mitigate the consequences of the cyberattack” and that BRP “continues to put in place all the necessary measures to protect the integrity of systems and data, and its employees and stakeholders’ information.”
This is all very unfortunate as while BRP says they’ve resumed operations, we continue to hear feedback from dealers, customers, and service centers that they are getting no orders, parts, warranties, etc processed during this time. We’ve even heard that many employees simply have no access to work computers or systems; operating the old fashion way (shaking hands and making phone calls). We wonder how long can this continue before 2023 shipments dates are delayed and if any expectation of supply fulfillment is hopeful through the end of the year!
As consumers and community members, it’s our responsibility to be patient with our dealers, service shops, and other BRP representatives while they handle this horrible situation. Ransomware is no joke and we should all be very careful on what we click/tap on and enable 2FA (two-factor authentication) on any services we use. 2FA is the option that sends you a secret code, or uses a code generator app on your phone, once you have logged in to verify that it’s actually you that’s logging in.
We reached out for official comment on the situation, but BRP has no comment at this time leaving us to rely on their press releases. We’ll try to keep up to date on the topic and the supply chain to keep you informed. Again, please be patient with your local BRP dealers and service personnel as their hands are tied.
Update August 29th, 2022:
We have heard from a couple sources telling us that this was in fact a ransomware attack with a ransom demand of mid-six figures! Additional updates include the BRP systems tasked with hosting the communications portal, serving the press release links above, is now down along with the US/Canada dealer application website.
The dealer portal “BOSSWeb” (a Salesforce website) has also been preempted with, “August 21st: The malicious cybersecurity attack against BRP has impacted BOSSWeb that still has limited functionality. While our team focuses on restoring all our systems, we ask that you DO NOT access BOSSWeb with any direct URLs or shared links, other than the BOSSWeb login page, to submit any transaction until further notice. Thanks for your collaboration.”
As always, we will continue to follow the story and bring you updates as we get them.
Update August 31st, 2022:
While corrections to the BRP news servers began earlier this week, it appears they’ve restored most, if not all functionality on the host. This has no impact on the back-end struggles affecting the recovery from the attacks on the internal infrastructure.
Update September 2nd, 2022:
The BRP dealer portal BOSSWeb now has been updated with the following prompt: “September 2: As we continue to bring back functions in BOSSWeb, you may experience a visual or performance difference from before the cybersecurity incident. We are aware of Knowledge Center VIN Search issues as other issues and we will resolve them as we continue to come back to normal operations. Thanks for your patience”. While their proof reading skills are lacking, we’re sure they are in a hurry trying to get things fixed for dealers!
The North American dealer application form is still reporting server errors.
Update September 24th, 2022:
BRP has posted their quarterly earnings (PDF, revenues up 28% YOY) and mentions the cyber-attack, but does not provide any details.
Dealer login no longer prompts security warnings and the dealer application is still broken.
Update October 25th, 2022:
As of the end of October, all sites appear to be operational and responsive, including dealer applications etc. Dealer networks continue to struggle to get parts on time, but it is assumed these delays will mitigated and become less frequent over time as the logistics teams have time to catch up.