TELUS Digital investigates cybersecurity breach as threat actors claim massive data theft

Canadian business process outsourcing provider TELUS Digital has confirmed a cybersecurity incident involving unauthorized access to several of its systems after threat actors claimed to have stolen nearly one petabyte of company and customer data during a prolonged breach.

The company, which operates as the digital services and business process outsourcing arm of Canadian telecommunications provider TELUS, provides customer support, content moderation, artificial intelligence data services and other operational support for companies worldwide. Its role in managing large volumes of customer data and operational systems for multiple organizations makes it a high-value target for cybercriminals seeking broad access to corporate and consumer information.

The incident is linked to a threat group known as ShinyHunters, which claims responsibility for the intrusion and the theft of extensive datasets connected to TELUS Digital’s outsourcing operations as well as call records tied to TELUS’ consumer telecommunications services.

TELUS Digital confirmed the breach and stated that it is investigating the scope of the intrusion and determining which customers may have been affected. The company reported that the unauthorized access involved a limited number of systems and that immediate steps were taken to secure the environment and prevent further intrusion.

Operations across TELUS Digital remain fully functional, and the company stated there is no evidence of disruption to customer connectivity or services. Cyber forensics specialists have been engaged to assist the investigation, and the company is cooperating with law enforcement authorities while monitoring the situation.

Threat actors claim the breach was carried out using credentials for the Google Cloud Platform discovered in data obtained during a previous compromise involving the marketing and customer engagement platform Salesloft and its Drift service. During that earlier incident, attackers downloaded Salesforce data connected to hundreds of companies, including support ticket records that contained credentials, authentication tokens and other sensitive information.

Using those credentials, the attackers said they gained access to multiple TELUS systems, including a large Google BigQuery environment. After extracting datasets from that environment, the attackers claimed they searched the information using the cybersecurity tool TruffleHog to identify additional credentials that allowed them to move into other company systems and collect further data.

The attackers claim the operation resulted in the theft of close to one petabyte of data belonging to TELUS Digital and its clients. The company has not confirmed the amount of data allegedly taken.

The stolen information is described as spanning a wide range of business functions tied to outsourcing services handled by TELUS Digital. These include data connected to customer support operations, call center outsourcing, agent performance ratings, artificial intelligence customer support tools, fraud detection systems and content moderation services.

The threat actors also claim the dataset includes source code, federal background check records, financial information, Salesforce-related data and recordings of customer support calls associated with multiple companies that rely on TELUS Digital’s outsourcing services.

The breach may also involve TELUS’ telecommunications business, particularly its consumer fixed-line services. The attackers claim they obtained call records, voice recordings and campaign data related to telecommunications operations. Sample call data records described by investigators include timestamps, call duration, originating and receiving phone numbers and technical metadata tied to call quality.

The types of stolen information appear to vary significantly across organizations, reflecting the diverse operational services TELUS Digital provides to its clients.

The attackers began contacting the company in February, demanding a payment of $65 million in exchange for not releasing the data publicly. The company did not engage with the threat actors.