Business process outsourcing (BPO) giant Telus Digital has confirmed a major cybersecurity incident after the notorious ShinyHunters extortion group claimed to have stolen nearly one petabyte of data from the company and its customers.
The breach, which involved unauthorized access to internal systems over an extended period, highlights a dangerous evolution in attacker strategy—where threat actors no longer need to “break in” if they can simply blend in using legitimate credentials.
What We Know About the Breach
In a statement to CSO Online, Telus Digital confirmed it is “investigating a cybersecurity incident involving unauthorized access to a limited number of our systems.” The company stated that upon discovery, immediate steps were taken to secure systems against further intrusion.
Key details from the disclosure:
- Business operations remain fully functional with no disruption to customer services
- Leading cyber forensics experts have been engaged
- Law enforcement is involved in the investigation
- Impacted customers are being notified as appropriate
ShinyHunters, an extortion group active since 2020, reportedly claims to have exfiltrated upwards of one petabyte of data from both Telus Digital and its BPO customers—many of whom rely on the company for customer support operations. When asked to confirm this staggering figure, a company spokesperson declined to comment.
The Shift: “Attackers No Longer Need to Break In”
Fritz Jean-Louis, principal cybersecurity advisor at Info-Tech Research Group, offered a sobering analysis of the breach. He noted this was not a traditional perimeter failure:
“Attackers no longer need to ‘break in’ if they can blend in. The hallmarks of this breach—multi-month dwell time, massive data volumes, and delayed detection—suggest the abuse of legitimate access rather than overt technical exploitation.”
The incident aligns with a growing class of data theft-first operations characterized by:
- Long-term persistence using valid credentials or trusted pathways
- Lateral movement across internal systems once inside
- Slow, controlled data staging to avoid triggering alerts
- Large-scale exfiltration disguised as normal encrypted traffic
- Public disclosure or extortion once data is secured
“This is not smash-and-grab ransomware,” Jean-Louis emphasized. “It is strategic, disciplined, and optimized for maximum leverage.”
Why This Matters: The Identity Perimeter Problem
The breach exposes a critical blind spot many organizations still have: they’re adept at detecting “bad behavior” but struggle to identify abnormal trusted behavior.
Jean-Louis outlined essential priorities for organizations:
Identity Is the New Perimeter
If credentials are compromised, everything downstream is at risk. Organizations must enforce MFA everywhere, especially for admins and third parties.
Data-Centric Monitoring Is Non-Negotiable
Organizations must know when data is accessed, aggregated, and moved. Setting alerts for bulk access patterns and establishing reasonable data movement thresholds by role is critical.
Segment Environments Aggressively
Flat networks enable catastrophic breaches. Once attackers move laterally, scale becomes their advantage. High-value data stores must be isolated from general access.
Invest in Behavioral Analytics and Threat Hunting
Look for subtle anomalies over weeks, not just spikes over minutes.
Prepare for Data Theft, Not Just Ransomware
A strategic lesson from this breach: many incident response plans still assume encryption equals impact and build playbooks accordingly. Organizations need to build response plans for silent data exfiltration.
“The biggest risk today,” Jean-Louis concluded, “is not that attackers are getting better at breaking in; it’s that they’re getting better at being trusted. Organizations that continue to focus primarily on perimeter defenses and malware prevention will remain vulnerable to this class of attack.”
About ShinyHunters
ShinyHunters has been a prolific threat actor since 2020, specializing in stealing data from Salesforce and other SaaS vendors. The group has recently expanded into voice phishing (vishing) attacks, impersonating IT staff to persuade employees to enter credentials on malicious harvesting sites.
Source: CSO Online
