Executive Summary
In March 2026, Telus Digital, the business process outsourcing arm of Canadian telecommunications provider Telus, confirmed a significant data breach orchestrated by the cybercriminal group ShinyHunters. The attackers exploited Google Cloud Platform credentials obtained from a previous breach, enabling them to access Telus Digital's systems over several months. This intrusion led to the exfiltration of nearly 1 petabyte of sensitive data, including customer support records, call logs, and internal corporate information. The breach not only compromised Telus Digital's data but also affected numerous client companies relying on their services. ShinyHunters attempted to extort Telus Digital for $65 million, threatening to release the stolen data publicly. Telus Digital has since engaged cybersecurity experts and law enforcement to investigate and mitigate the breach's impact. This incident underscores the escalating threat posed by sophisticated cybercriminal groups like ShinyHunters, who have been linked to multiple high-profile data thefts and extortion campaigns targeting major organizations worldwide. Their tactics often involve exploiting misconfigured cloud services and leveraging stolen credentials to infiltrate systems, highlighting the critical need for robust security configurations and vigilant monitoring of cloud environments.
Why This Matters Now
The Telus Digital breach highlights the urgent need for organizations to secure cloud environments and monitor for credential misuse, as cybercriminal groups like ShinyHunters continue to exploit these vulnerabilities for large-scale data theft and extortion.
Attack Path Analysis
The ShinyHunters group initiated the attack by exploiting Google Cloud Platform credentials found in data stolen during the Salesloft Drift breach, leading to unauthorized access to Telus Digital's systems. They escalated privileges by using tools like trufflehog to search for additional credentials within the compromised data, enabling deeper access. The attackers moved laterally across Telus Digital's infrastructure, accessing various systems and data repositories. They established command and control by maintaining persistent access through the compromised credentials and possibly setting up backdoors. The exfiltration phase involved transferring nearly 1 petabyte of sensitive data, including customer information and call records, to external servers. Finally, the impact was significant, with the potential exposure of vast amounts of sensitive data and subsequent extortion attempts by the attackers.
Kill Chain Progression
Initial Compromise
Description
The attackers gained unauthorized access to Telus Digital's systems by exploiting Google Cloud Platform credentials found in data stolen during the Salesloft Drift breach.
MITRE ATT&CK® Techniques
Valid Accounts
Unsecured Credentials: Credentials in Files
Data from Cloud Storage
Exfiltration Over Web Service: Exfiltration to Cloud Storage
Data Encrypted for Impact
Inhibit System Recovery
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Secure storage of account data
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Telecommunications
Direct impact from Telus breach exposing call records, voice recordings, and customer data through compromised cloud credentials and inadequate egress controls.
Outsourcing/Offshoring
BPO operations compromised via stolen Google Cloud credentials, exposing multi-client data through lateral movement and insufficient zero trust segmentation controls.
Information Technology/IT
Cloud infrastructure vulnerabilities exposed through credential theft from SaaS platforms, highlighting critical need for encrypted traffic and anomaly detection capabilities.
Financial Services
Regulatory compliance risks from potential exposure of financial information and FBI background checks requiring enhanced data loss prevention and egress security.
Sources
- Telus Digital confirms breach after hacker claims 1 petabyte data thefthttps://www.bleepingcomputer.com/news/security/telus-digital-confirms-breach-after-hacker-claims-1-petabyte-data-theft/Verified
- ShinyHunters linked to SSO vishing attackshttps://cybernews.com/cybercrime/shinyhunters-link-sso-vishing-attacks-okta-paywall/Verified
- ShinyHunters uses vishing to breach Salesforce datahttps://dataconomy.com/2025/09/03/shinyhunters-uses-vishing-to-breach-salesforce-data/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have limited the attacker's ability to escalate privileges, move laterally, and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's initial access may have been constrained by enforcing identity-aware access controls, potentially limiting unauthorized entry points.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges could have been limited by enforcing strict segmentation policies, reducing unauthorized access to sensitive areas.
Control: East-West Traffic Security
Mitigation: The attacker's lateral movement may have been constrained by monitoring and controlling east-west traffic, reducing unauthorized system access.
Control: Multicloud Visibility & Control
Mitigation: The attacker's command and control channels could have been detected and disrupted by providing comprehensive visibility and control over multicloud environments.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's data exfiltration efforts may have been hindered by enforcing strict egress policies, reducing unauthorized data transfers.
The overall impact of the breach could have been mitigated by reducing the attacker's ability to access and exfiltrate sensitive data through enforced segmentation and access controls.
Impact at a Glance
Affected Business Functions
- Customer Support Operations
- Billing Services
- Internal Authentication Tools
- Content Moderation
Estimated downtime: N/A
Estimated loss: N/A
Potential exposure of customer support data, billing information, internal authentication credentials, and content moderation records.
Recommended Actions
Key Takeaways & Next Steps
- • Implement robust credential management practices, including regular rotation and monitoring of access credentials, to prevent unauthorized access.
- • Deploy Zero Trust Segmentation to enforce least privilege access and limit lateral movement within the network.
- • Utilize Threat Detection & Anomaly Response systems to identify and respond to suspicious activities promptly.
- • Enforce Egress Security & Policy Enforcement to monitor and control data exfiltration attempts.
- • Conduct regular security audits and penetration testing to identify and remediate vulnerabilities within the infrastructure.
