Canadian enterprise course of outsourcing large Telus Digital has confirmed it suffered a safety incident after menace actors claimed to have stolen almost 1 petabyte of knowledge from the corporate in a multi-month breach.
Telus Digital is the digital providers and enterprise course of outsourcing (BPO) arm of Canadian telecommunications supplier Telus, offering buyer assist, content material moderation, AI information providers, and different outsourced operational providers to firms worldwide.
As a result of BPO suppliers usually deal with buyer assist, billing, and inside authentication instruments for a number of firms, they will develop into enticing targets for menace actors in search of entry to giant quantities of buyer and company information by way of a single breach.
The breach was carried out by menace actors referred to as ShinyHunters, who claims to have stolen a variety of buyer information associated to Telus’ BPO operations, in addition to name data for Telus’ client telecommunications division.
BleepingComputer was informed in January that Telus had suffered a breach and contacted the corporate with questions, however didn’t obtain a response to our emails at the moment.
Yesterday, Telus confirmed that it suffered a breach, stating that it’s at present investigating what was stolen and which clients have been affected.
“TELUS Digital is investigating a cybersecurity incident involving unauthorized access to a limited number of our systems. Upon discovery, we took immediate steps to address the unauthorized activity and secure our systems against further intrusion. We are actively managing the situation and continue to monitor it closely,” Telus informed BleepingComputer.
“All business operations within TELUS Digital remain fully operational, and there is no evidence of disruption to customer connectivity or services. As part of our response, we have engaged leading cyber forensics experts to support our investigation, and we are working with law enforcement. “
“We have implemented additional security measures to further safeguard our systems and environment. As our investigation progresses, we are notifying any impacted customers, as appropriate. The security of our customers’ information continues to be our highest priority.”
A supply informed BleepingComputer final week that ShinyHunters have been extorting the corporate, however Telus was not participating with the menace actors.
Hacker claims to steal nearly 1 petabyte of knowledge
After studying that Telus was not negotiating with ShinyHunters, BleepingComputer contacted the menace actors with questions in regards to the breach.
In line with ShinyHunters, they breached Telus utilizing Google Cloud Platform credentials found in information stolen throughout the Salesloft Drift breach.
Within the Salesloft Drift breach, menace actors downloaded Salesforce information for 760 firms, together with buyer assist tickets. These assist instances have been scanned for credentials, authentication tokens, and different secrets and techniques, which Mandiant stories have been used to breach extra platforms.
ShinyHunters says that they found Google Cloud Platform credentials for Telus within the Drift information and used them to entry quite a few firm methods, together with a big BigQuery occasion.
After downloading this information, the menace actors mentioned they used the cybersecurity instrument trufflehog to go looking inside it for extra credentials that allowed them to pivot into different Telus methods and obtain additional information.
In all, ShinyHunters claims to have stolen shut to 1 petabyte of knowledge belonging to the corporate and lots of of its clients, lots of whom use Telus Digital as a BPO supplier for buyer assist operations. BleepingComputer has not been in a position to independently affirm the overall measurement of the stolen information.
The menace actor shared the names of 28 well-known firms allegedly impacted by the breach. Nevertheless, BleepingComputer won’t disclose the names of those firms, as we’ve got been unable to independently affirm whether or not they have been impacted.
The menace actor says that a lot of the information for these clients pertains to BPO providers supplied by Telus Digital, together with buyer assist and name middle outsourcing, agent efficiency rankings, AI-powered buyer assist instruments, fraud detection and prevention, and content material moderation options.
Nevertheless, additionally they declare to have stolen supply code, FBI background checks, monetary data, Salesforce information, and voice recordings of assist requires numerous firms.
The breach additionally reportedly impacts Telus’ telecommunication providers, together with its client fixed-line enterprise. The stolen information for these providers allegedly contains detailed name data, voice recordings, and marketing campaign information.
Pattern of the decision information data seen by BleepingComputer embrace a name’s time, period, quantity from, quantity to, and different metadata, similar to for name high quality.
Total, based mostly on textual content information describing the assault reviewed by BleepingComputer, the sorts of stolen information seem to range broadly between firms, with many various enterprise features uncovered.
ShinyHunters mentioned they started extorting Telus in February, demanding $65 million in alternate for not leaking the corporate’s information, however Telus didn’t reply to their emails.
If Telus shares additional affirmation on what was stolen, we are going to replace this story.
Who’s ShinyHunters
Whereas the identify ShinyHunter has lengthy been related to quite a few folks and information breaches, the present ShinyHunters extortion gang has been one of the prolific menace actors focusing on firms worldwide this yr in information theft assaults.
Primarily specializing in stealing information from Salesforce and different cloud SaaS environments, the menace actors are answerable for a lot of breaches, together with Google, Cisco, PornHub, and on-line courting large Match Group.
Extra not too long ago, menace actors have been conducting voice phishing (vishing) assaults focusing on Okta, Microsoft, and Google single sign-on (SSO) accounts. They name workers impersonating IT assist workers and trick them into coming into credentials and multi-factor authentication (MFA) codes on phishing websites.
As BleepingComputer first reported, the ShinyHunters group has additionally not too long ago begun utilizing machine code vishing to acquire Microsoft Entra authentication tokens.
After stealing their targets’ credentials and auth codes, the menace actors hijack the victims’ SSO accounts to breach linked enterprise providers like Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox.
Malware is getting smarter. The Crimson Report 2026 reveals how new threats use math to detect sandboxes and conceal in plain sight.
Obtain our evaluation of 1.1 million malicious samples to uncover the highest 10 methods and see in case your safety stack is blinded.
