Canadian business process outsourcing giant Telus Digital has confirmed a major cybersecurity breach after the ShinyHunters extortion group claimed to have stolen nearly one petabyte of data during a months-long intrusion. The attackers are demanding $65 million in ransom and have threatened to release data affecting dozens of Telus Digital client organizations. Telus confirmed the incident on March 12, 2026, following a BleepingComputer report; the company had been notified of the breach in January but did not initially respond.

What Happened

ShinyHunters gained initial access to Telus Digital's environment by leveraging Google Cloud Platform credentials discovered in data stolen during a prior breach at Salesloft Drift. Once inside, the attackers accessed a BigQuery data warehouse and used trufflehog, an open-source secret-scanning tool, to sweep for additional embedded credentials and API keys across Telus Digital's cloud infrastructure. This credential-chaining technique allowed them to pivot laterally across internal systems over a period of months while remaining undetected.

The attackers began extorting Telus in February 2026, demanding $65 million to prevent the release of stolen data. When Telus declined to negotiate, ShinyHunters contacted media outlets directly, sharing data samples as proof of the breach. Telus Digital's statement confirmed unauthorized access to "a limited number of systems" and stated that forensics experts and law enforcement have been engaged.

What Was Taken

ShinyHunters claims to have exfiltrated approximately 700TB to 1PB of data. Reuters reviewed samples shared directly by the attackers and corroborated the following data types across at least two dozen client organizations:

• Customer PII: names, addresses, contact information for clients' end customers
• Call data records and voice recordings: from Telus Digital's BPO customer support operations
• Financial and billing information: from Telus' consumer telecommunications division
• FBI background check files: sensitive government-adjacent identity verification records
• Employee payroll records: internal HR data
• Proprietary source code: spanning multiple Telus business divisions
• Authentication credentials: API keys and service account credentials discovered via trufflehog scanning

Why It Matters

Telus Digital is not just one company; it is the operational backbone for dozens of enterprises that outsourced their customer support, billing, content moderation, and authentication workflows to a single trusted vendor. A breach here doesn't stop at Telus Digital's perimeter. Every organization whose data flows through Telus Digital's systems is now potentially exposed, regardless of whether their own security posture was sound.

This is the supply chain attack model at scale. The initial access vector, credentials harvested from a completely separate company (Salesloft Drift) and reused to breach a third party, demonstrates how interconnected SaaS ecosystems create compounding exposure. ShinyHunters didn't need to attack Telus directly. They attacked a vendor's vendor.

The $65 million demand is among the largest publicly reported extortion figures. The strategic, multi-month dwell time and deliberate data organization before extortion (described by CSO Online as "not smash-and-grab ransomware, but strategic, disciplined, and optimized for maximum leverage") signals a maturation in how sophisticated extortion groups operate against high-value BPO targets.

The Attack Technique

• Initial access: GCP credentials harvested from the Salesloft Drift breach, reused to authenticate into Telus Digital's Google Cloud environment
• Discovery: trufflehog deployed against BigQuery and connected cloud storage to enumerate additional embedded secrets and API keys
• Lateral movement: Credential-chaining from initial GCP access into internal systems across multiple Telus business divisions
• Collection: Multi-month dwell time; bulk exfiltration of structured data including call records, PII, financial data, and source code
• Extortion: $65M demand issued February 2026; data samples shared with media after Telus declined to negotiate

What Organizations Should Do

1. Audit all BPO and third-party vendor data access immediately: Inventory exactly what data Telus Digital (and any similar BPO provider) can access on your behalf; scope access to the minimum necessary and rotate any shared credentials
2. Rotate credentials if your org is a Telus Digital client: Assume all API keys, service account tokens, and authentication credentials accessible through Telus Digital's environment are compromised; rotate now, notify downstream systems
3. Run trufflehog against your own repositories and cloud storage: If attackers used it to find your secrets inside Telus Digital's environment, you should find them first in your own; scan GitHub, S3, BigQuery, and CI/CD pipelines for embedded credentials
4. Enforce credential isolation across SaaS and vendor ecosystems: GCP, AWS, and Azure service accounts shared with or accessible by third parties must be isolated, scoped, and rotated on a defined schedule; never reuse credentials across vendor boundaries
5. Prepare breach notification workflows for downstream exposure: If you are a Telus Digital client and customer PII, call records, or financial data was processed through their systems, engage your incident response team and legal counsel now; regulatory notification timelines are already running
6. Review call recording and PII retention policies with all BPO vendors: Data that is not retained cannot be stolen; minimize what third-party processors store and enforce contractual data minimization obligations

Sources

• BleepingComputer: Telus Digital confirms breach after hacker claims 1 petabyte data theft
• CSO Online: Telus Digital hit with massive data breach
• BNN Bloomberg / Reuters: Telus says it is investigating hack of its systems
• The Globe and Mail: Telus investigating hack of its digital services arm