What Happened
TELUS Digital, the digital services subsidiary of TELUS Corporation and one of Canada’s largest business process outsourcing providers, has confirmed it suffered a cyberattack after the ShinyHunters threat actor group claimed credit and offered stolen data for sale online.
The breach began when ShinyHunters obtained login credentials for TELUS Digital’s Google Cloud Platform account during the earlier Salesloft Drift breach — a third-party service compromise. Using those credentials, the attackers accessed multiple systems including a BigQuery data warehouse, downloaded its contents, scanned for additional credentials stored within, and moved laterally through connected services.
ShinyHunters claims to have exfiltrated nearly one petabyte of data. The stolen material reportedly includes records belonging to TELUS Digital’s BPO and telecommunications customers, FBI background check documents, Salesforce data exports, call data records, campaign information, and proprietary source code. The group initially demanded a $65 million ransom payment. TELUS Digital has not confirmed any ransom payment or communication with the attackers.
TELUS Digital stated all business operations remain active and no disruption to customer connectivity or services has occurred. A forensic investigation is ongoing.
Why This Matters for Canadian Organizations
TELUS Digital processes data for large-scale enterprise and government clients across North America. A breach of this scale — if the claimed scope is accurate — exposes the downstream data of organizations that contracted TELUS Digital for BPO services, including clients who rely on the company to handle sensitive customer interactions, financial records, and workforce screening processes.
The attack vector is a direct demonstration of supply chain credential risk. TELUS Digital’s systems were not the initial target. Credentials exposed in a third-party software-as-a-service breach — the Salesloft Drift compromise — were the entry point. Any organization using shared SaaS platforms needs to assume credential exposure is a realistic threat regardless of their own internal controls.
ShinyHunters is a prolific and sophisticated threat actor group with a track record of high-volume breaches, including the 2024 Snowflake customer incident that affected over 160 organizations. Their targeting of a major Canadian telecom subsidiary signals an ongoing interest in Canadian corporate infrastructure.
For Canadian organizations currently contracted with TELUS Digital for BPO or telecommunications services, the immediate risk is unauthorized access to records belonging to their own customers, employees, or business processes. This creates exposure under Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and, for organizations in scope, Bill C-26 supply chain accountability obligations.
What to Do
Organizations with active or historical contracts with TELUS Digital should contact the company to determine whether their data is included in the breach scope. Audit all cloud platform credentials stored in SaaS tools and third-party services used by your organization — assume any of those credentials are compromised until verified otherwise. Rotate API keys and service account credentials for Google Cloud, AWS, and Azure environments if any overlap with affected platforms exists. Review your incident response plan for third-party breach scenarios and confirm your PIPEDA breach reporting obligations are understood. If personal data belonging to Canadians was held by TELUS Digital on your behalf, a mandatory breach report to the Office of the Privacy Commissioner may be required.
Source: BleepingComputer | CBC News
