Cyber Incident Victim: Institut national de la recherche scientifique

On August 17, 2022, the Institut national de la recherche scientifique (INRS) experienced a cyberattack that paralyzed its information systems, including all email services and telephony infrastructure. The organization publicly acknowledged the incident on August 29, confirming that essential activities continued despite system outages and that adjustments had been communicated to students regarding the fall 2022 semester. Buildings remained operational and secure throughout the disruption. By September 4, INRS restored functionality to email addresses using its domain, enabling normal communications to resume. The institution collaborated closely with external cybersecurity experts to manage recovery efforts, though it withheld specific technical details about the attack vector or perpetrator to avoid compromising its investigation.

The incident incurred minimum documented costs of $268,778 through two emergency contracts: $188,778 awarded to Mandiant Inc. (a Google subsidiary) on August 23 for cybersecurity response, and $80,000 to Québec-based Micro Logic Sainte-Foy ltée on August 30 for additional support. These contracts were issued without competitive bidding due to operational urgency, with expenses largely covered by insurance except for the deductible. INRS confirmed no evidence of malicious data exploitation but proactively provided Equifax credit monitoring codes to current and former community members as a precaution. Legal advisors assisted throughout the process, though total costs remained undetermined pending full recovery. By May 30, 2023, INRS declared successful restoration of systems while continuing to strengthen network security protocols to safeguard research and academic operations. The organization maintained communication via its website and a dedicated email address ([email protected]) for incident-related inquiries throughout the response period.