Full Report
Canadian business process outsourcing giant Telus Digital has confirmed it suffered a security incident after threat actors claimed to have stolen nearly 1 petabyte of data from the company in a multi-month breach. [...]
Analysis Summary
# Incident Report: Telus Digital Multi-Month Cloud Data Breach
## Executive Summary
Telus Digital, the business process outsourcing (BPO) arm of Telus, confirmed a significant security incident involving the unauthorized access of its cloud environment by the ShinyHunters threat group. The attackers leveraged stolen Google Cloud Platform (GCP) credentials to exfiltrate nearly 1 petabyte of data, including customer call records, BPO operational data, and internal source code. The breach was a downstream consequence of the Salesloft Drift supply-chain compromise, where credentials were harvested from support tickets.
## Incident Details
- **Discovery Date:** January 2026 (Initial reports); Confirmed March 11, 2026
- **Incident Date:** Multi-month period leading up to March 2026
- **Affected Organization:** Telus Digital (and Telus telecommunications division)
- **Sector:** BPO (Business Process Outsourcing) / Telecommunications
- **Geography:** Canada (Global operations)
## Timeline of Events
### Initial Access
- **Date/Time:** Circa late 2025 / Early 2026
- **Vector:** Credential Stuffing/Theft via supply chain
- **Details:** Attackers obtained Telus GCP credentials from customer support tickets stolen during the Salesloft Drift breach.
### Lateral Movement
- **Details:** After accessing the GCP environment, attackers used the secret-scanning tool **Trufflehog** to find additional credentials within the company’s data. This allowed them to pivot from initial systems into broader corporate environments, including BigQuery instances and Salesforce data.
### Data Exfiltration/Impact
- **Details:** ShinyHunters claims to have exfiltrated ~1 PB of data. This includes customer support recordings, AI-powered support tools, FBI background checks, financial information, and detailed call records (CDRs) for Telus consumer fixed-line customers.
### Detection & Response
- **How it was discovered:** Initially flagged by security researchers and threat actor claims; later confirmed via internal forensics.
- **Response actions taken:** Engaged third-party forensics experts, notified law enforcement, and implemented additional security hardening measures.
## Attack Methodology
- **Initial Access:** Valid cloud credentials (GCP) stolen from a third-party breach (Salesloft Drift).
- **Persistence:** Utilization of legitimate cloud authentication tokens and pivoting through harvested secrets.
- **Privilege Escalation:** Not explicitly detailed, but likely achieved via administrative keys found in code/storage.
- **Defense Evasion:** Use of legitimate administrative tools and native cloud interfaces.
- **Credential Access:** Secret scanning (Trufflehog) to find embedded keys and tokens in stored data.
- **Discovery:** Scanning BigQuery instances and cloud storage buckets.
- **Lateral Movement:** Pivoting between cloud services using discovered service account keys.
- **Collection:** Aggregation of customer support tickets, voice recordings, and source code.
- **Exfiltration:** Large-scale data transfer from cloud environments.
- **Impact:** Massive data exposure and ongoing extortion attempts.
## Impact Assessment
- **Financial:** Extensive costs expected for forensics, legal notifications, and potential regulatory fines.
- **Data Breach:** ~1 Petabyte of data; includes PII, voice recordings, and corporate proprietary code.
- **Operational:** Limited; business operations remained functional, but security protocols required immediate overhaul.
- **Reputational:** High; impact extends to 28+ high-profile corporate clients who use Telus for BPO services.
## Indicators of Compromise
- **Behavioral indicators:**
- High-volume data egress from GCP BigQuery or storage buckets.
- Unusual access patterns for service accounts previously linked to support tickets.
- Execution of `trufflehog` or similar secret-scanning tools within the production environment.
## Response Actions
- **Containment measures:** Secured cloud systems and revoked compromised GCP credentials.
- **Eradication steps:** Scanned environment for secondary backdoors or remaining "secrets" in logs/tickets.
- **Recovery actions:** Notifying impacted customers and coordinating with law enforcement/forensic firms.
## Lessons Learned
- **Credential Hygiene:** Secrets and authentication tokens should never be stored in plaintext within customer support tickets or logs.
- **Supply Chain Vulnerability:** A breach at a sub-processor (Salesloft) can directly lead to a "crown jewel" breach at a major enterprise.
- **Cloud Visibility:** Massive data movements (Petabytes) should trigger automated high-priority alerts.
## Recommendations
- **Secret Secretion:** Implement automated scanning (e.g., Trufflehog, Gitleaks) in CI/CD pipelines and support ticketing systems to prevent secret leakage.
- **MFA Enforcement:** Ensure all cloud console access requires hardware-based MFA to mitigate the impact of stolen credentials.
- **Data Minimization:** Regularly purge old support tickets and recordings that are no longer required for business purposes.
- **Egress Monitoring:** Set hard quotas and alerts for data transfer out of cloud environments (Cloud DLP).