Telus Digital faces mass filtration after ShinyHunters claims to exfilter almost a petabyte

Telus's digital services and outsourcing subsidiary, known as Telus Digital, has publicly recognized a security incident that the attackers said compromised a huge amount of information. The company itself confirmed to the media that it is investigating unauthorized access to "a limited number of our systems" and that it has put in place measures to contain the intrusion, hire forensic experts and notify the relevant authorities.

The details that have come to light come in much of the claim of a extortion group known as ShinyHunters, which claims to have exfiltered almost a petabyte of data over several months. This figure - although striking - has not been independently verified by third parties and should therefore be taken with caution as the investigation progresses. Initial coverage and statements can be found in media specialized in cybersecurity, such as BleepingComputer.

Telus Digital provides critical outsourcing services: customer care, content moderation, data preparation for IA and contact centre operations. This concentration of functions makes BPO providers particularly lucrative targets for attackers, because a single access can reveal data from multiple companies and millions of customers. Telus has said that, for now, its operations remain "fully operational" and that there is no evidence of interruption in connectivity or customer services as the containment continues.

According to the narrative published by the attackers themselves, the starting point was the use of Google Cloud credentials found in filtered data in another incident: the gap that affected the SalSlovak / Drift integration and which resulted in the theft of Salesforce instances. Research by third parties, as published by the Google / Mandiant intelligence team, describe how this stolen information has been used in a chain to identify secrets and access to other cloud services; an analysis can be read on Google Cloud's blog about that incident in cloud.google.com.

The attackers report that, with these credentials, they accessed numerous systems of the company, including a large BigQuery environment, and that they used tools to search for secrets such as trufflehog to locate new tokens and keys that allowed them to pivote within the infrastructure and download massive volumes of information. This technique of "credentials from credentials" is a recurring tactic in campaigns that derive from initial data leaks on SaaS platforms.

The set of information ShinyHunters claims to have is varied: from support data and call records from contact centres to source code, background obtained through verification processes, financial information, Salesforce data and voice support conversations recordings. Among the materials that describe the attackers there would be records of call metadata (time, duration, numbers involved, quality of the call) that, in the wrong hands, can facilitate social engineering fraud or vishing.

In addition to the exfiltration, the attackers started a extortion campaign. According to the Panel & apos; s claims, in February they required $65 million not to disclose the stolen data; Telus, for its part, according to the sources cited, would not have negotiated with the extorters and had opted for forensic investigation and notification as determined by the progress of the inquiries. The company has reported that it implemented additional security measures and that it will inform the affected customers to the extent that their exposure is confirmed.

ShinyHunters is not a new actor in the picture: in recent years he has been linked to multiple campaigns aimed at cloud services and SaaS platforms, especially aimed at obtaining and monetizing data from Salesforce, Google Workspace and other business ecosystems. Mixed tactics such as vishing (calls supplanting technical support to steal credentials and MFA codes) and the abuse of authentication tokens to take control of SSO accounts have also been documented, allowing them to move laterally through environments connected to corporate services. Specialized coverage has analysed the evolution and objectives of this group, for example in BleepingComputer.

For customers and companies that depend on BPO suppliers, this episode highlights a recurring lesson: digital value chain security matters as much as self-security. To review access and secret management policies, apply strict segmentation between services, rotate credentials and adopt early detection systems in cloud environments are essential measures. At the same time, organizations should prepare to respond to incidents that not only affect their systems, but also those of third parties that store or process their information.

From the perspective of end-users, exposure of call recordings, support records or billing data increases the risk of targeted fraud. It is recommended to remain alert to suspicious communications, to activate multifactor authentication in all services that allow it and to verify directly with official suppliers any requests for sensitive information.

As the investigation continues and Telus works with experts and security forces, it remains unknowable about the actual extent of the theft and the final identity of the companies concerned. The company has promised to notify the affected customers "as appropriate" once it is clarified which data were exposed. We will remain pending public updates and forensic reports to confirm the volume and exact nature of the information committed.

In order to further the technical and contextual background of this case, reference analyses and news are available: the coverage of the incident by BleepingComputer, the breakdown of the SalSlovak / Drift incident on the blog of Google Cloud / Mandiant and documentation of tools that have been mentioned by the attackers, such as trufflehog.