Canadian outsourcing provider Telus Digital, a subsidiary of telecom operator Telus, has confirmed a cyberattack and data breach that is already being described as one of the most serious compromises of a BPO (Business Process Outsourcing) provider in recent years. The hacking group ShinyHunters claims to have stolen almost one petabyte of data, raising serious concerns for Telus and its global client base.
What Happened in the Telus Digital Cyberattack
Telus Digital delivers BPO services worldwide, including customer support, content moderation, deployment and operation of AI-based services, and other outsourced business processes. This position in the supply chain makes the company a high-value target: compromising a single provider can open pathways into dozens or even hundreds of corporate environments and customer datasets.
According to reporting by BleepingComputer, indications of a potential breach surfaced as early as January 2026, but Telus Digital initially refrained from public comment. The company has now officially confirmed the incident, citing unauthorized access to a limited number of systems and stating that a forensic investigation is underway with the involvement of cybersecurity specialists and law enforcement.
Telus Digital emphasizes that core business operations remain functional and that suspicious activity was quickly contained. However, the scale of the data claimed by ShinyHunters suggests a prolonged, multi-stage intrusion into the company’s cloud and internal infrastructure.
How Attackers Penetrated Telus Digital’s Cloud Environment
Compromised Google Cloud and BigQuery Access
ShinyHunters allege that access to Telus systems was obtained via Google Cloud Platform (GCP) credentials recovered from previously stolen data. These credentials were reportedly found in datasets exfiltrated during the compromise of the Salesloft Drift platform, after which threat actors accessed Salesforce data at approximately 760 organizations, including support tickets.
Security researchers at Mandiant had earlier warned that data stolen in the Salesloft Drift incident and related breaches was being systematically mined for accounts, access tokens, and API keys. Such “digital keys” often become the initial foothold for further attacks on cloud environments, allowing attackers to bypass traditional perimeter defenses such as firewalls and VPN gateways.
Using TruffleHog to Hunt for Secrets in BigQuery
Once inside Telus Digital’s cloud infrastructure, including a large BigQuery instance, the attackers reportedly used the open-source tool TruffleHog. This utility scans code repositories, configuration files, and logs in search of passwords, tokens, and other sensitive “secrets” that are often accidentally stored in plain text.
The combination of vast data volumes and poorly protected secrets in the cloud enabled the intruders to escalate privileges, move laterally to other systems, and automate the extraction of increasingly large and sensitive datasets over time.
Scope and Nature of the Stolen Telus Digital Data
ShinyHunters claim they exfiltrated almost one petabyte of data belonging both to Telus Digital and to multiple corporate customers using its BPO services. Journalists at BleepingComputer reportedly received a list of 28 affected brands, but have not published the names due to a lack of independent verification.
According to the attackers, the stolen datasets include:
- customer support and call center records;
- performance ratings and metrics for contact center agents;
- confidential AI tools for customer interaction and anti-fraud systems;
- content moderation systems and related data;
- source code for internal platforms and services;
- FBI background check results, financial documents, Salesforce data;
- recordings of customer service phone calls.
The group also claims that the core Telus telecom business was affected. Allegedly stolen assets include Call Detail Records (CDRs) with metadata such as time, duration, phone numbers, and call quality parameters, as well as voice recordings and information on marketing campaigns. While CDRs typically do not include call content, they can reveal sensitive communication patterns at scale.
Supply Chain and BPO Security Risks Exposed
The Telus Digital incident is a textbook example of a supply chain attack. By compromising a large BPO provider, threat actors potentially obtain backdoor access to customer service systems, billing platforms, and even authentication flows of many downstream organizations that rely on the provider’s infrastructure.
The Verizon Data Breach Investigations Report 2024 highlights that stolen or misused credentials remain one of the leading causes of successful breaches. The Telus Digital case illustrates this pattern: previously compromised cloud accounts became the initial vector, enabling attackers to step around conventional perimeter security and operate directly within trusted cloud environments.
Key Cybersecurity Lessons and Practical Recommendations
The attack underscores the importance of comprehensive secrets management and access control, especially for organizations heavily using cloud services and BPO models:
- Credential hygiene and secrets management. Regular rotation of passwords and keys, eliminating hard-coded secrets in code, and storing credentials in dedicated secret managers on GCP, AWS, or Azure.
- Multi-factor authentication (MFA). Enforcing MFA for all privileged and cloud accounts, and requiring step-up authentication for high-risk operations such as data export.
- Least privilege and segmentation. Restricting service accounts and APIs to the minimum permissions required, and isolating sensitive BigQuery projects and workloads by environment and client.
- Continuous monitoring and audit logging. Proactive detection of abnormal activity in cloud consoles, BigQuery jobs, and API access, with real-time alerting and automated response playbooks.
- Vendor and BPO security governance. Including BPO providers, contact centers, and other third parties in security audits, penetration testing, and incident response exercises, with clear contractual security requirements.
ShinyHunters state that in February 2026 they attempted to extort USD 65 million from Telus in exchange for not publishing the stolen data. According to the group, the company did not respond. This aligns with the growing trend of “pure data extortion”, where attackers do not deploy ransomware but instead weaponize the threat of public disclosure, regulatory impact, and reputational damage.
The Telus Digital breach demonstrates how dependent modern organizations are on the security posture of their providers and how quickly a compromise can propagate across an entire ecosystem. Enterprises relying on BPO and cloud services should reassess contracts, technical controls, and third‑party risk programs, adopt Zero Trust principles, and invest in robust secrets management and cloud security training. Strengthening these areas now can significantly reduce the likelihood of becoming the next link in a multi-stage supply chain attack.
