Telus Digital Data Breach Exposes Customer and Call Records

Canadian business process outsourcer Telus Digital has confirmed a cybersecurity incident after threat actors claimed to have stolen close to one petabyte of data in a breach that went undetected for months. The Telus Digital data breach, attributed to extortion group ShinyHunters, exposed customer records, voice recordings, source code, and call metadata spanning both corporate clients and Telus' own consumer telecom division.

How the Attack Unfolded

The breach did not begin at Telus. It started at a third-partyvendor.

In 2025, attackers compromised Salesloft's GitHub environment and stole OAuth tokens from the Drift chatbot integration. Those tokens gave them access to Salesforce data belonging to hundreds of organizations. Inside that stolen dataset, ShinyHunters found Google Cloud Platform credentials tied to Telus Digital.

Armed with those credentials, the group accessed multiple Telus systems, including a large BigQuery database. They then used Trufflehog, an open-source credential-scanning tool, to mine the downloaded data for additional passwords and access tokens. Each set of credentials opened new doors. Over several months, the attackers moved laterally through Telus infrastructure and extracted a massive volume of data before detection.

What Was Stolen

ShinyHunters claims the haul totals close to one petabyte. Some reports put the floor at 700 terabytes. The full scope has not been independently confirmed, but the categories of data involved are broad.

On the BPO side, the stolen data allegedly covers customer support records, call center operations, agent performance metrics, AI-driven support tooling, fraud detection systems, and content moderation infrastructure used by client companies. The group also claims to have obtained source code, financial records, Salesforce data, FBI background check results for employees, and voice recordings of support calls.

The breach extends beyond Telus Digital's outsourcing operations. Attackers say they also accessed consumer call records from Telus' fixed-line telecom division, including call times, durations, phone numbers,and associated metadata. ShinyHunters named 28 client companies as affected, though those claims have not been verified independently.

The Ransom Demand

ShinyHunters demanded $65 million to withhold the stolen data from public release. Telus has refused to engage.

That refusal follows a pattern. In January 2026, ShinyHunters leaked data from SoundCloud and Crunchbase after both companies declined to pay. The group has made clear it will publish stolen data when demands go unmet.

Telus Digital's Response

Telus confirmed the breach on March 12, 2026. The company stated it discovered unauthorized access to a limited number of systems, took immediate steps to contain the intrusion, and brought in external forensic experts. It is cooperating with law enforcement and notifying affected customers.

Business operations at Telus Digital remain functional. The company says there is no evidence of service disruption or impact to customer connectivity.

Why BPO Providers Are High-Value Targets

Business process outsourcing firms sit at the center of many companies' customer-facing operations. They handle billing, authentication tools, customer support queues, and call records on behalf of their clients. A breach at one BPO provider can expose the data of dozens of downstream organizations at once.

That concentration of access is precisely what makes them attractive. Attackers who gain a foothold in a BPO environment do not need to breach each client separately. One set of credentials, used well, can yield data from across an entire client portfolio.

A Breach Built on Trusted Access

Security researchers have pointed out that this incident was not a perimeter failure. There was no known zero-day exploit, no brute-force attack against Telus infrastructure. The attackers obtained valid credentials from a third-party breach, then used legitimate access to move quietly through the environment for months.

Multi-month dwell time, large-scale silent exfiltration, and delayed detection are the defining features here. The Trufflehog technique amplified the damage: by scanning bulk-stolen data for embedded credentials, attackers turned one initial foothold into a cascading chain of access.

The lesson is not new, but it keeps applying. Credential hygiene, third-party vendor risk, and detection of lateral movement matter as much as perimeter security. Organizations that treat incident response as a ransomware problem may be poorly positioned for a breach where the only payload is data walking out the door.

ShinyHunters' Growing Track Record

ShinyHunters has operated since 2020 and shows no sign of slowing. In late 2025, the group was linked to the theft of nearly one billion records from 39 companies, including GAP and Qantas. In early 2026, they targeted Dutch telecom Odido and threatened to release millions of customer records. The Telus Digital data breach is the latest in a sustained campaign against large enterprises.

The group is associated with the Com, an international cybercrime network that the FBI has described as a primarily English-speaking online ecosystem involved in a range of criminal activity. Several US companies are now facing class-action lawsuits tied to ShinyHunters attacks.

The investigation at Telus Digital is ongoing. Affected customers and client companies can expect further notifications as the forensic review progresses.