Canadian enterprise course of outsourcing large Telus Digital has confirmed it suffered a security incident after menace actors claimed to have stolen almost 1 petabyte of information from the corporate in a multi-month breach.
Telus Digital is the digital providers and enterprise course of outsourcing (BPO) arm of Canadian telecommunications supplier Telus, offering buyer help, content material moderation, AI knowledge providers, and different outsourced operational providers to corporations worldwide.
As a result of BPO suppliers typically deal with buyer help, billing, and inner authentication instruments for a number of corporations, they’ll grow to be enticing targets for menace actors searching for entry to giant quantities of buyer and company knowledge via a single breach.
The breach was carried out by menace actors generally known as ShinyHunters, who claims to have stolen a variety of buyer knowledge associated to Telus’ BPO operations, in addition to name information for Telus’ client telecommunications division.
BleepingComputer was informed in January that Telus had suffered a breach and contacted the corporate with questions, however didn’t obtain a response to our emails at the moment.
Yesterday, Telus confirmed that it suffered a breach, stating that it’s presently investigating what was stolen and which clients had been affected.
“TELUS Digital is investigating a cybersecurity incident involving unauthorized entry to a restricted variety of our programs. Upon discovery, we took rapid steps to handle the unauthorized exercise and safe our programs in opposition to additional intrusion. We’re actively managing the scenario and proceed to observe it intently,” Telus informed BleepingComputer.
“All enterprise operations inside TELUS Digital stay absolutely operational, and there’s no proof of disruption to buyer connectivity or providers. As a part of our response, we now have engaged main cyber forensics specialists to help our investigation, and we’re working with legislation enforcement. “
“We’ve got carried out further security measures to additional safeguard our programs and atmosphere. As our investigation progresses, we’re notifying any impacted clients, as applicable. The security of our clients’ data continues to be our highest precedence.”
A supply informed BleepingComputer final week that ShinyHunters had been extorting the corporate, however Telus was not partaking with the menace actors.
Hacker claims to steal nearly 1 petabyte of information
After studying that Telus was not negotiating with ShinyHunters, BleepingComputer contacted the menace actors with questions in regards to the breach.
In line with ShinyHunters, they breached Telus utilizing Google Cloud Platform credentials found in knowledge stolen in the course of the Salesloft Drift breach.
Within the Salesloft Drift breach, menace actors downloaded Salesforce knowledge for 760 corporations, together with buyer help tickets. These help instances had been scanned for credentials, authentication tokens, and different secrets and techniques, which Mandiant studies had been used to breach further platforms.
ShinyHunters says that they found Google Cloud Platform credentials for Telus within the Drift knowledge and used them to entry quite a few firm programs, together with a big BigQuery occasion.
After downloading this knowledge, the menace actors mentioned they used the cybersecurity instrument trufflehog to look inside it for added credentials that allowed them to pivot into different Telus programs and obtain additional knowledge.
In all, ShinyHunters claims to have stolen shut to 1 petabyte of information belonging to the corporate and plenty of of its clients, lots of whom use Telus Digital as a BPO supplier for buyer help operations. BleepingComputer has not been capable of independently verify the full measurement of the stolen knowledge.
The menace actor shared the names of 28 well-known corporations allegedly impacted by the breach. Nonetheless, BleepingComputer is not going to disclose the names of those corporations, as we now have been unable to independently verify whether or not they had been impacted.
The menace actor says that a lot of the information for these clients pertains to BPO providers offered by Telus Digital, together with buyer help and name middle outsourcing, agent efficiency scores, AI-powered buyer help instruments, fraud detection and prevention, and content material moderation options.
Nonetheless, additionally they declare to have stolen supply code, FBI background checks, monetary data, Salesforce knowledge, and voice recordings of help requires varied corporations.
The breach additionally reportedly impacts Telus’ telecommunication providers, together with its client fixed-line enterprise. The stolen knowledge for these providers allegedly contains detailed name information, voice recordings, and marketing campaign knowledge.
Pattern of the decision knowledge information seen by BleepingComputer embody a name’s time, length, quantity from, quantity to, and different metadata, equivalent to for name high quality.
Total, primarily based on textual content information describing the assault reviewed by BleepingComputer, the kinds of stolen knowledge seem to differ broadly between corporations, with many various enterprise features uncovered.
ShinyHunters mentioned they started extorting Telus in February, demanding $65 million in change for not leaking the corporate’s knowledge, however Telus didn’t reply to their emails.
If Telus shares additional affirmation on what was stolen, we’ll replace this story.
Who’s ShinyHunters
Whereas the identify ShinyHunter has lengthy been related to quite a few individuals and data breaches, the present ShinyHunters extortion gang has been one of the prolific menace actors focusing on corporations worldwide this yr in knowledge theft assaults.
Primarily specializing in stealing knowledge from Salesforce and different cloud SaaS environments, the menace actors are liable for numerous breaches, together with Google, Cisco, PornHub, and on-line courting large Match Group.
Extra not too long ago, menace actors have been conducting voice phishing (vishing) assaults focusing on Okta, Microsoft, and Google single sign-on (SSO) accounts. They name staff impersonating IT help employees and trick them into getting into credentials and multi-factor authentication (MFA) codes on phishing websites.
As BleepingComputer first reported, the ShinyHunters group has additionally not too long ago begun utilizing system code vishing to acquire Microsoft Entra authentication tokens.
After stealing their targets’ credentials and auth codes, the menace actors hijack the victims’ SSO accounts to breach related enterprise providers like Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox.
Malware is getting smarter. The Pink Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 strategies and see in case your security stack is blinded.
