Telus Corp. is grappling with a significant cybersecurity incident at Telus Digital, its business-outsourcing and technology division, after hackers accessed a limited number of systems and made off with nearly one petabyte of sensitive information over several months. The Vancouver-based telecom confirmed the breach involved unauthorized access by ShinyHunters, a criminal extortion group that has demanded CAD $85 million in ransom. The incident underscores growing vulnerabilities in Canada's technology infrastructure and raises questions about data protection practices across the outsourcing industry.

Scope of the Breach

Telus Digital, which operates as the telecom giant's technology and business-process outsourcing arm, fell victim to what security researchers describe as an extensive data theft operation. The hackers claim to have stolen nearly one petabyte—equivalent to approximately 1,000 terabytes—of data spanning several months of unauthorized access. This volume of stolen information represents one of the larger breaches reported against a Canadian company in recent years.

The compromised data encompasses customer information tied to Telus Digital's outsourcing operations, call records from Telus's consumer division, and sensitive materials belonging to multiple client companies that rely on Telus Digital for various services. According to reports, the hackers identified at least 28 well-known companies whose information was caught in the breach, though independent verification of all affected organizations remains incomplete.

How the Breach Occurred

The attack chain reveals a troubling sequence of events that began with a separate security incident. ShinyHunters obtained Google Cloud Platform credentials that were originally exposed during a prior breach of Salesloft and Drift, two software-as-a-service companies. Armed with these stolen credentials, the hackers deployed trufflehog, a cybersecurity tool designed to search for sensitive information in code repositories and cloud environments, to systematically download additional data from Telus systems.

This technique demonstrates how compromises at one organization can create cascading vulnerabilities across multiple companies in interconnected technology ecosystems. The reliance on cloud platforms and shared credentials across vendors created a pathway for attackers to move laterally from one target to another, amplifying the scale of potential damage.

Nature of Stolen Information

The breach encompasses a diverse range of sensitive materials spanning both Telus operations and its clients' data. Stolen information includes customer support records, call center agent performance ratings, source code, background check documents, financial information, and Salesforce data. The hackers also obtained voice recordings of customer support calls, fraud detection systems, content moderation tools, and related artificial intelligence infrastructure.

For Telus's consumer communications services, the breach included detailed call data records containing information about when calls were placed, their duration, originating and destination numbers, and metadata related to call quality. This category of information raises particular privacy concerns given its intimate connection to individual Canadians' communications patterns.

The stolen materials also encompassed data related to outsourced customer care services, AI-powered support tools, and fraud prevention systems that Telus Digital provides to clients worldwide. The breadth of information suggests the attackers maintained sustained access across multiple systems and databases within the organization.

The Extortion Demand and Telus's Response

ShinyHunters approached Telus in February with an extortion demand, requesting CAD $85 million in exchange for not publicly releasing the stolen data. Telus has not responded to the extortion attempts, maintaining a position consistent with cybersecurity expert recommendations against capitulating to such demands.

Security researchers have warned that paying ransoms to ShinyHunters and related groups operating under the umbrella organization known as "the Com" often proves counterproductive. Members of this international cybercrime collective have demonstrated a pattern of re-extorting victims who have already paid, extracting additional payments through threats and harassment. Allison Nixon, chief research officer at security firm Unit 221B, has characterized the group's tactics as fundamentally flawed, noting that members often lack the sophistication of earlier ransomware operations and resort to intimidation when data theft alone fails to coerce payment.

Telus stated that all systems within Telus Digital remain fully operational and that no disruption to customer services has been documented. The company said it has implemented additional security measures, engaged cyber forensics experts, and is cooperating with law enforcement agencies investigating the incident. Telus committed to notifying affected customers as appropriate.

ShinyHunters and the Broader Threat Landscape

ShinyHunters has been operating as a cybercriminal entity since 2020, building a reputation for targeting Salesforce and other cloud-based software vendors. The group's methods have evolved beyond simple data theft to include voice phishing attacks, where members impersonate IT staff to trick employees into entering credentials on malicious websites designed to harvest authentication information.

The group operates under multiple aliases, including "Scattered Lapsus Shiny Hunters," and maintains connections to a larger international cybercrime network known as "the Com," or the Community. The FBI has characterized the Com as a primarily English-speaking online ecosystem comprising multiple interconnected networks whose members include both experienced criminals and minors engaged in various criminal violations.

Recent activity by ShinyHunters extends beyond Telus. The group has been linked to attacks against major organizations, including Dutch telecom operator Odido. In the United States, several companies have faced proposed class-action lawsuits stemming from ShinyHunters breaches, including hotel and casino operator Wynn Resorts, which allegedly had more than 800,000 customer records stolen, and music streaming company SoundCloud, where the breach affected information from more than 29.8 million users.

Implications for Canadian Technology Infrastructure

The Telus Digital breach arrives amid a broader pattern of cyberattacks targeting Canadian telecommunications and technology companies. The incident highlights vulnerabilities in how organizations manage credentials across cloud environments and the risks inherent in business-process outsourcing models that concentrate sensitive data from multiple clients in centralized systems.

For Telus shareholders and customers, the breach raises questions about the company's cybersecurity investment and governance practices. While Telus has emphasized that no service disruptions occurred, the unauthorized access to customer data and call records carries potential regulatory and reputational consequences. Canadian regulators and privacy commissioners may scrutinize how Telus managed data protection obligations and whether adequate safeguards were in place.

The incident also underscores broader risks in Canada's technology sector, where companies increasingly rely on cloud platforms and interconnected systems. The attack chain originating from breaches at other vendors demonstrates how supply-chain vulnerabilities can create unexpected exposures across multiple organizations.

Related Articles

The Telus Digital breach represents a significant cybersecurity incident for Canada's technology landscape, exposing the interconnected vulnerabilities that characterize modern cloud-based infrastructure. With nearly one petabyte of data stolen and multiple client organizations affected, the breach demonstrates how compromises at one vendor can cascade across an entire ecosystem of connected services. As Telus works with law enforcement and forensics experts to contain the damage, the incident serves as a stark reminder of the evolving threat posed by sophisticated criminal organizations like ShinyHunters. For Canadian businesses relying on outsourced technology services, the breach underscores the importance of rigorous vendor security assessments and comprehensive data protection strategies.