Data Breach Business Process Outsourcing / Technology Services · Canada · March 2026

TELUS Digital

Analysis of the TELUS Digital breach where ShinyHunters allegedly stole close to 1 petabyte of data, reportedly including BPO customer data for 28 companies, using credentials from the Salesloft Drift breach.

Records Affected

Close to 1 petabyte of data allegedly stolen; BPO customer data for reportedly 28 major companies

Attack Type

Data Breach

Location

Canada

Data types exposed

BPO customer data FBI background checks source code Salesforce data financial records voice recordings of support calls

What Happened

On March 12, 2026, Canadian BPO giant TELUS Digital confirmed a data breach after the ShinyHunters group claimed to have stolen close to 1 petabyte of data from the company’s systems.
ShinyHunters reportedly demanded $65 million in ransom, which TELUS Digital rejected. The allegedly stolen data is reported to include BPO customer data for 28 major companies, FBI background checks on employees, source code, Salesforce data, financial records, and voice recordings of customer support calls.
According to reports, ShinyHunters gained initial access using Google Cloud Platform credentials that were found in data stolen during a separate breach of Salesloft’s Drift product. This represents a textbook supply chain cascade: the Salesloft breach led to credential exposure, which allegedly led to the TELUS Digital compromise, which in turn potentially exposes dozens of downstream clients whose data TELUS Digital processes as a BPO provider.

Timeline

  • Early 2026 — Salesloft Drift breach allegedly exposes credentials including TELUS Digital’s Google Cloud Platform access
  • March 2026 — ShinyHunters reportedly uses stolen credentials to access TELUS Digital’s cloud environment
  • March 12, 2026 — TELUS Digital confirms breach; ShinyHunters claims close to 1 petabyte of data stolen
  • March 2026 — TELUS Digital reportedly rejects ShinyHunters’ $65 million ransom demand

Threat Actor Profile

ShinyHunters is one of the most prolific data breach groups currently active, previously linked to breaches at AT&T, Ticketmaster, and other major organisations. The group is known for large-scale data exfiltration and typically monetises stolen data through ransom demands and dark web sales.
In this incident, ShinyHunters allegedly leveraged credentials obtained from a separate breach (Salesloft Drift) rather than conducting a direct attack, demonstrating sophistication in exploiting supply chain vulnerabilities and credential reuse across interconnected cloud services.

Impact and Risk Assessment

For Individuals

If confirmed, individuals whose data was processed by TELUS Digital on behalf of its 28 reported BPO clients may be affected. This could include customer support interactions, voice recordings, and personal information shared during service calls.
Employees of TELUS Digital who underwent FBI background checks may have highly sensitive personal and background information exposed.

For Organisations

TELUS Digital’s reported 28 BPO clients face potential exposure of customer data that was entrusted to TELUS Digital for processing. Each downstream client may need to conduct its own breach assessment and potentially notify its own customers.
The incident highlights systemic risk in BPO relationships: outsourcing customer service and business processes means entrusting large volumes of sensitive data to third parties whose security posture may differ from the data owner’s expectations.
The inclusion of source code and Salesforce data in the allegedly stolen dataset suggests the compromise extended beyond customer-facing systems into TELUS Digital’s core business infrastructure.

Regulatory Context

Canadian privacy law (PIPEDA) requires notification of breaches that create a real risk of significant harm. TELUS Digital’s 28 reported BPO clients may each face separate notification obligations under their respective jurisdictions.
FBI background check data is subject to strict handling requirements under US federal law. Exposure of this data may trigger additional regulatory scrutiny.

What Should You Do?

For Individuals

  • If you have interacted with customer support services that may have been outsourced to TELUS Digital, monitor your accounts for unusual activity.
  • Be cautious of phishing attempts that reference specific details from customer support interactions, as voice recordings and interaction logs may have been exposed.

For Security Professionals

  • Audit your organisation’s BPO and outsourcing relationships. Understand what data is shared, where it is stored, and what security controls your BPO partners have in place.
  • Implement credential rotation and secrets management for all cloud platform access, particularly credentials shared with or accessible to third-party service providers.
  • Review whether credentials from other breaches (such as Salesloft Drift) may provide access to your organisation’s cloud environments. Cross-reference leaked credential databases against your cloud IAM configurations.
  • Consider zero-trust architecture for cloud environments where BPO partners require access, limiting lateral movement in the event of credential compromise.

Learnings and Recommendations

Supply chain breaches can cascade exponentially. The Salesloft Drift breach led to TELUS Digital compromise, which potentially exposes 28 downstream BPO clients and their customers. Organisations must map and monitor their extended supply chain exposure.
BPO providers hold enormous volumes of sensitive data from multiple clients. A single breach at a BPO provider can simultaneously expose data from dozens of organisations, making BPO security a systemic risk.
Credentials stored in or accessible through SaaS platforms can provide pathways to cloud infrastructure. Organisations should treat SaaS-to-cloud credential flows as critical attack surfaces.
Voice recordings of customer support calls represent a particularly sensitive data type, potentially containing verbal disclosure of personal information, account details, and authentication answers.

References

[1] Bleeping Computer – TELUS Digital confirms breach; ShinyHunters claims 1 petabyte stolen via Salesloft Drift credentials — https://www.bleepingcomputer.com/
[2] SC Media – TELUS Digital rejects $65 million ransom demand from ShinyHunters — https://www.scworld.com/

Source

https://www.bleepingcomputer.com/ ↗
This advisory summarises a publicly reported cybersecurity incident for educational purposes. Information is sourced from publicly available reports and may include claims that are unverified or disputed. Inclusion does not imply fault or negligence by the affected organisation.
Back to all advisories