Cyber Incident Victim: Bombardier Recreational Products

On August 8, 2022, Bombardier Recreational Products (BRP) identified malicious cybersecurity activity targeting its systems, prompting immediate containment measures. The company temporarily suspended operations across its manufacturing facilities in response to the incident. BRP engaged external cybersecurity specialists to collaborate with its internal IT team in securing affected infrastructure and launched a formal investigation into the attack’s origin and scope. The operational disruption occurred concurrently with BRP’s announcement of its acquisition of Kongsberg Automotive’s Shawinigan-based business unit, a strategic move aimed at expanding its mechatronics capabilities and adding 300 employees. This followed another acquisition days earlier—an 80% stake in Pinion GmbH, a German bicycle gearbox developer—as part of BRP’s diversification into urban mobility solutions.

The cyberattack caused BRP’s shares to decline by 0.4% to $95.11 on the Toronto Stock Exchange the following day, reflecting investor concerns over operational and reputational impacts. BRP did not disclose technical details regarding the attack vector, compromised systems, data exfiltration, or threat actor attribution. A company spokeswoman declined to elaborate beyond the initial statement, citing ongoing investigation protocols. No ransomware claims or data leak threats were publicly reported in available sources. The incident highlighted operational vulnerabilities amid BRP’s expansion activities, though the company maintained focus on containment and recovery without specifying downtime duration or financial repercussions.