TELUS Digital
Analysis of the TELUS Digital breach where ShinyHunters allegedly stole close to 1 petabyte of data, reportedly including BPO customer data for 28 companies, using credentials from the Salesloft Drift breach.
Published by the Scrutex.ai Research Team | March 2026
Disclaimer
This advisory is provided for informational and educational purposes only by the Scrutex research team. It is based entirely on publicly available reporting from the sources cited below. Where details are unconfirmed or disputed by the affected organisation, this is noted explicitly. Scrutex does not independently verify internal claims made by affected organisations or threat actors. This advisory should not be interpreted as a confirmed statement of fact regarding any organisation's security posture. Organisations concerned about their own exposure should conduct independent assessments and seek professional legal advice.
At a Glance
Organisation
TELUS Digital
Canadian business process outsourcing (BPO) and digital customer experience company, a subsidiary of TELUS Corporation. TELUS Digital provides IT and customer experience services to major enterprises globally.
Sector
Business Process Outsourcing / Technology Services
Region
Canada
Date of Incident
March 2026
Date Disclosed
March 12, 2026
Estimated Impact
Close to 1 petabyte of data allegedly stolen; BPO customer data for reportedly 28 major companies
Data Types Exposed
BPO customer data, FBI background checks, source code, Salesforce data, financial records, voice recordings of support calls
Attack Type
Data Breach
Attack Vector
Google Cloud Platform credentials allegedly found in data stolen during the Salesloft Drift breach, enabling access to TELUS Digital’s cloud environment
Threat Actor
ShinyHunters
Current Status
TELUS Digital confirmed the breach on March 12, 2026 and rejected ShinyHunters’ reported $65 million ransom demand. Investigation ongoing.
Severity Assessment
Critical. The alleged volume of data (close to 1 petabyte) and the breadth of data types reportedly involved make this one of the largest BPO breaches on record if confirmed. The supply chain cascade from Salesloft to TELUS Digital to potentially 28 downstream clients demonstrates how a single upstream breach can have exponential downstream impact.
What Happened
On March 12, 2026, Canadian BPO giant TELUS Digital confirmed a data breach after the ShinyHunters group claimed to have stolen close to 1 petabyte of data from the company’s systems.
ShinyHunters reportedly demanded $65 million in ransom, which TELUS Digital rejected. The allegedly stolen data is reported to include BPO customer data for 28 major companies, FBI background checks on employees, source code, Salesforce data, financial records, and voice recordings of customer support calls.
According to reports, ShinyHunters gained initial access using Google Cloud Platform credentials that were found in data stolen during a separate breach of Salesloft’s Drift product. This represents a textbook supply chain cascade: the Salesloft breach led to credential exposure, which allegedly led to the TELUS Digital compromise, which in turn potentially exposes dozens of downstream clients whose data TELUS Digital processes as a BPO provider.
Timeline
Early 2026
Salesloft Drift breach allegedly exposes credentials including TELUS Digital’s Google Cloud Platform access
March 2026
ShinyHunters reportedly uses stolen credentials to access TELUS Digital’s cloud environment
March 12, 2026
TELUS Digital confirms breach; ShinyHunters claims close to 1 petabyte of data stolen
March 2026
TELUS Digital reportedly rejects ShinyHunters’ $65 million ransom demand
Threat Actor Profile
ShinyHunters is one of the most prolific data breach groups currently active, previously linked to breaches at AT&T, Ticketmaster, and other major organisations. The group is known for large-scale data exfiltration and typically monetises stolen data through ransom demands and dark web sales.
In this incident, ShinyHunters allegedly leveraged credentials obtained from a separate breach (Salesloft Drift) rather than conducting a direct attack, demonstrating sophistication in exploiting supply chain vulnerabilities and credential reuse across interconnected cloud services.
Impact and Risk Assessment
For Affected Individuals
If confirmed, individuals whose data was processed by TELUS Digital on behalf of its 28 reported BPO clients may be affected. This could include customer support interactions, voice recordings, and personal information shared during service calls.
Employees of TELUS Digital who underwent FBI background checks may have highly sensitive personal and background information exposed.
For Organisations
TELUS Digital’s reported 28 BPO clients face potential exposure of customer data that was entrusted to TELUS Digital for processing. Each downstream client may need to conduct its own breach assessment and potentially notify its own customers.
The incident highlights systemic risk in BPO relationships: outsourcing customer service and business processes means entrusting large volumes of sensitive data to third parties whose security posture may differ from the data owner’s expectations.
The inclusion of source code and Salesforce data in the allegedly stolen dataset suggests the compromise extended beyond customer-facing systems into TELUS Digital’s core business infrastructure.
Regulatory Context
Canadian privacy law (PIPEDA) requires notification of breaches that create a real risk of significant harm. TELUS Digital’s 28 reported BPO clients may each face separate notification obligations under their respective jurisdictions.
FBI background check data is subject to strict handling requirements under US federal law. Exposure of this data may trigger additional regulatory scrutiny.
What Should You Do?
If You Are a Potentially Affected Individual
If you have interacted with customer support services that may have been outsourced to TELUS Digital, monitor your accounts for unusual activity.
Be cautious of phishing attempts that reference specific details from customer support interactions, as voice recordings and interaction logs may have been exposed.
If You Are a Security or Risk Professional
Audit your organisation’s BPO and outsourcing relationships. Understand what data is shared, where it is stored, and what security controls your BPO partners have in place.
Implement credential rotation and secrets management for all cloud platform access, particularly credentials shared with or accessible to third-party service providers.
Review whether credentials from other breaches (such as Salesloft Drift) may provide access to your organisation’s cloud environments. Cross-reference leaked credential databases against your cloud IAM configurations.
Consider zero-trust architecture for cloud environments where BPO partners require access, limiting lateral movement in the event of credential compromise.
Learnings and Recommendations
Supply chain breaches can cascade exponentially. The Salesloft Drift breach led to TELUS Digital compromise, which potentially exposes 28 downstream BPO clients and their customers. Organisations must map and monitor their extended supply chain exposure.
BPO providers hold enormous volumes of sensitive data from multiple clients. A single breach at a BPO provider can simultaneously expose data from dozens of organisations, making BPO security a systemic risk.
Credentials stored in or accessible through SaaS platforms can provide pathways to cloud infrastructure. Organisations should treat SaaS-to-cloud credential flows as critical attack surfaces.
Voice recordings of customer support calls represent a particularly sensitive data type, potentially containing verbal disclosure of personal information, account details, and authentication answers.
This advisory is provided for informational purposes by the Scrutex.ai research team. It is based on publicly available reporting from the sources cited above. Where details are unconfirmed or disputed, we have noted this accordingly. Scrutex.ai does not independently verify internal claims made by affected organisations. Organisations concerned about their own exposure are encouraged to conduct their own assessments and seek professional advice where needed.
Stay ahead of the next breach
Scrutex monitors dark web sources, breach databases, and threat actor activity continuously, detecting exposure that affects your organisation before it becomes a headline.