Telus Digital, a global business process outsourcing provider, has fallen victim to a massive cyberattack orchestrated by the notorious ShinyHunters extortion group, marking another significant breach in the BPO sector.
The ShinyHunters group, operational since 2020, has built a reputation for targeting Salesforce and other SaaS vendors while also conducting sophisticated voice phishing campaigns. The group's latest tactics involve impersonating IT staff to trick employees into entering credentials on malicious harvesting sites.
"We are investigating a cybersecurity incident involving unauthorized access to a limited number of our systems," Telus Digital said in a statement to CSO on Thursday. "Upon discovery, we took immediate steps to address the unauthorized activity and secure our systems against further intrusion. We are actively managing the situation and continue to monitor it closely."
%20(1)%20(1).webp)
The company emphasized that operations remain stable, stating that "all business operations within Telus Digital remain fully operational and there is no evidence of disruption to customer connectivity or services. As part of our response, we have engaged leading cyber forensics experts to support our investigation, and we are working with law enforcement."
Published reports indicate ShinyHunters claims to have exfiltrated upwards of one petabyte of data from both Telus Digital and its customers, many of whom rely on the company for customer support operations. When asked to confirm this figure, a company spokesperson declined to comment.
Telus Digital assured stakeholders that additional protective measures are in place, noting they have "implemented additional security measures to further safeguard our systems and environment. As our investigation progresses, we are notifying any impacted customers, as appropriate. The security of our customers' information continues to be our highest priority."
Beyond Traditional Breach Patterns
Fritz Jean-Louis, principal cybersecurity advisor at Info-Tech Research Group, characterized this incident as fundamentally different from typical security failures.
"When breaches of this magnitude occur, the instinct is often to ask which vulnerability was exploited and which malware got through," Jean-Louis said. However, the Telus Digital incident "increasingly points to a different problem, in that attackers no longer need to 'break in' if they can blend in."
Jean-Louis explained that the breach's characteristics suggest a more sophisticated approach: "The hallmarks of this breach, like the multi-month dwell time, massive data volumes, and delayed detection, suggest the abuse of legitimate access rather than overt technical exploitation."
The systems likely trusted the attacker, he noted, as the incident aligns with emerging data theft operations featuring public disclosure after data is secured, large-scale exfiltration disguised as normal encrypted traffic, and slow, controlled data staging to avoid triggering alerts.
"This is not smash-and-grab ransomware," Jean-Louis emphasized. "It is strategic, disciplined, and optimized for maximum leverage. The [attack] actually exposes a blind spot many organizations still have: [they] are good at detecting 'bad behavior,' but not abnormal trusted behavior."
Critical Defense Strategies
The incident highlights several essential security priorities, according to Jean-Louis. Organizations must implement data-centric monitoring as "non-negotiable if organizations must know when data is accessed, aggregated, and moved."
He stressed the importance of setting "alerts for bulk access patterns, not just downloads, and set reasonable data movement thresholds by role" while enforcing "MFA everywhere, especially for admins and third parties."
Jean-Louis warned that "flat networks enable big breaches, and once attackers move laterally, scale becomes their advantage." He recommends CSOs "segment environments aggressively, isolate high-value data stores from general access, invest in behavioral analytics and threat hunting, and look for subtle anomalies over weeks, not just spikes over minutes."
The expert emphasized a strategic shift in incident response planning: "Many incident response plans still assume encryption equals impact and build playbooks for silent data exfiltration." Organizations should "prepare for data theft, not just ransomware," as these sophisticated attacks represent "identity as the new perimeter. If credentials are compromised, everything downstream is at risk."
This breach serves as a wake-up call for organizations worldwide, particularly those in the BPO sector, to reassess their security posture against increasingly sophisticated threat actors who exploit trust rather than technical vulnerabilities.