Telus Digital, which provides business process outsourcing (BPO) services to a range of organizations worldwide, has been hit with a massive cyberattack conducted by extortion group ShinyHunters
The group, which has been in operation since 2020, specializes in stealing data from Salesforce and other SaaS vendors, and has also recently been conducting voice phishing (vishing) attacks, impersonating IT staff to persuade employees to enter their credentials on malicious sites that harvest them.
In a statement to CSO on Thursday, Telus Digital said it is “investigating a cybersecurity incident involving unauthorized access to a limited number of our systems. Upon discovery, we took immediate steps to address the unauthorized activity and secure our systems against further intrusion. We are actively managing the situation and continue to monitor it closely.”
The statement went on to say, “all business operations within Telus Digital remain fully operational and there is no evidence of disruption to customer connectivity or services. As part of our response, we have engaged leading cyber forensics experts to support our investigation, and we are working with law enforcement.”
The company added that it has implemented additional security measures “to further safeguard our systems and environment. As our investigation progresses, we are notifying any impacted customers, as appropriate. The security of our customers’ information continues to be our highest priority.”
One published report stated that ShinyHunters claims to have stolen upwards of one petabyte of data from both the company and its customers, many of whom use Telus Digital as a BPO provider for their customer support operations.
A company spokesperson was asked to confirm that number, but refused comment.
Attackers now ‘better at being trusted’
Fritz Jean-Louis, principal cybersecurity advisor at Info-Tech Research Group, said the incident was not a perimeter failure, even though “when breaches of this magnitude occur, the instinct is often to ask which vulnerability was exploited and which malware got through.”
He added that the Telus Digital data theft “increasingly points to a different problem, in that attackers no longer need to ‘break in’ if they can blend in. The hallmarks of this breach, like the multi-month dwell time, massive data volumes, and delayed detection, suggest the abuse of legitimate access rather than overt technical exploitation.”
In other words, he said, the systems likely trusted the attacker, noting that, based on publicly available details, this incident aligns with a growing class of data theft first operations that include:
- Long-term persistence using valid credentials or trusted pathways
- Lateral movement across internal systems once inside
- Slow, controlled data staging to avoid triggering alerts
- Large-scale exfiltration disguised as normal encrypted traffic
- Public disclosure or extortion signaling once data is secured.
According to Jean-Louis, “this is not smash-and-grab ransomware. It is strategic, disciplined, and optimized for maximum leverage. The [attack] actually exposes a blind spot many organizations still have: [they] are good at detecting ‘bad behavior,’ but not abnormal trusted behavior.”
Priorities for mitigation
This incident, he pointed out, reinforces the importance of several priorities for organizations, including:
- Regard identity as the new perimeter. If credentials are compromised, everything downstream is at risk.
- Enforce MFA everywhere, especially for admins and third parties.
- Data-centric monitoring is non-negotiable if organizations must know when data is accessed, aggregated, and moved.
- Set alerts for bulk access patterns, not just downloads, and set reasonable data movement thresholds by role
Flat networks, he said, enable big breaches, and once attackers move laterally, scale becomes their advantage.
His advice to CSOs is that they segment environments aggressively, isolate high-value data stores from general access, invest in behavioral analytics and threat hunting, and look for subtle anomalies over weeks, not just spikes over minutes.
A strategic lesson from this breach is that organizations should prepare for data theft, not just ransomware, he said. “Many incident response plans still assume encryption equals impact and build playbooks for silent data exfiltration.”
The biggest risk today, said Jean-Louis, “is not that attackers are getting better at breaking in; it’s that they’re getting better at being trusted. Organizations that continue to focus primarily on perimeter defenses and malware prevention will remain vulnerable to this class of attack.”