Nearly 1 PB of Data Allegedly Stolen from Outsourcing Giant Telus Digital

Incident overview – Telus Digital, the business‑process‑outsourcing arm of Canadian telecom provider Telus, announced a security incident after the threat actor group ShinyHunters claimed to have stolen nearly 1 PB of data, including large volumes of customer information.

Attack chain – According to ShinyHunters, the attackers first obtained Google Cloud Platform credentials from the earlier Salesloft Drift data‑leak. Using those credentials they accessed a BigQuery instance and other Google Cloud services belonging to Telus Digital. The group then employed the open‑source tool trufflehog to search the downloaded data for additional credentials, enabling lateral movement across Telus’s internal systems and further data exfiltration.

Data claimed to be compromised – The leaked material is said to span multiple business functions: customer‑support tickets, call‑center recordings, source code, FBI background‑check records, financial information, Salesforce data, and recordings of consumer telephone calls. ShinyHunters also listed 28 high‑profile companies they allege were affected, though BleepingComputer could not independently verify the list.

Ransom demand – In February the group began a ransomware campaign, demanding US$65 million in exchange for not publishing the stolen data. Telus Digital has not responded to the demand.

Background on ShinyHunters – The group has a long history of targeting SaaS environments, especially Salesforce and other cloud services. Prior incidents include compromises of Google, Cisco, PornHub, and Match Group. Recent activities involve voice‑phishing attacks against Okta, Microsoft, and Google SSO accounts, as well as device‑code phishing to harvest Microsoft Entra tokens. After obtaining credentials, the attackers hijack SSO accounts to infiltrate services such as Salesforce, Microsoft 365, Google Workspace, SAP, Slack, Adobe, Atlassian, Zendesk, and Dropbox.

Telus Digital response – Telus Digital stated that its operations remain normal, with no evidence of impact on client connections or services. The company engaged leading digital‑forensics experts, is cooperating with law‑enforcement agencies, and has implemented additional security controls to prevent further intrusion.

Reference: BleepingComputer (security‑news source).