Telus Digital confirms breach as hackers claim 1PB data theft exposing BPO systems customer records and internal data raising major supply chain security risks.

Continue reading
Telus Digital has confirmed an unauthorized intrusion into some internal systems after a threat actor claiming to be ShinyHunters announced the theft of very large volumes of data (reports vary between ~700 TB and ~1 PB). Initial reporting and samples suggest stolen material spans multiple business units and includes BPO-held customer data, call records, and other sensitive artifacts; Telus says it’s working with forensics and law enforcement while notifying impacted parties.
Public reporting indicates the intrusion was discovered after a hacker group publicly claimed possession of a massive archive and offered it for extortion. The timeline reported by outlets shows the actors had persistent access for months, collecting data from BPO and cloud environments rather than executing an immediate destructive ransomware event; the goal appears to be lateral leverage and mass extortion. This is consistent with a strategic, low-and-slow exfiltration pattern rather than a quick disruptive attack.
Because Telus Digital operates BPO and business-services, exposure is multi-tenant: affected data may not belong solely to one company but to many of Telus Digital’s clients. Reported sample types include PII, call data/recordings, background-check material, and internal source code — each having different downstream risks: identity theft, fraud, regulatory fines (data protection laws), brand damage, and operational security issues (e.g., exposed source enabling further attacks). The potential scale (hundreds of terabytes to a petabyte) dramatically increases re-use and correlation risk across incidents.
Begin by isolating suspected ingress points: rotate and revoke any suspected compromised cloud credentials and service keys; disable implicated service accounts and suspend suspicious user accounts pending investigation. Ensure full capture of cloud audit logs (GCP Cloud Audit, AWS CloudTrail, Azure Activity Log); if logs are incomplete, note gaps and preserve any remaining telemetry immediately. Deploy a temporary deny-egress policy for systems used by the BPO environment while preserving forensic image capture. Engage legal and compliance for mandatory notifications and preserve evidence for law enforcement and forensic firms. Work with cloud providers to identify recent large list/list-objects and unusual API activity.
Patch identified gaps, implement least privilege and RBAC hardening for cloud IAM, and rotate all long-lived keys. Enforce MFA for all console/API access. Conduct a full credential inventory: remove unused service accounts, add key rotation, and require short-lived tokens where possible. Harden logging and retention: ensure immutable logs and centralize to SIEM with alerting on abnormal data egress and privilege escalation patterns. Run tabletop exercises for BPO-client notification and third-party risk assessment. Where source code is suspected exposed, treat it as compromised: revoke build credentials, re-issue secrets, and run code integrity and dependency scans.
Below are compact, actionable hunts you can paste into a SOC runbook (examples, adapt to your tooling and fields).
Hunt: find service accounts or API keys with large GET/LIST object volumes over a short window, or API calls from unusual IP ranges. Example (pseudo-Splunk / Kibana): `index=cloud_logs event_type="storage:read" | stats sum(bytes) by service_account | where sum(bytes) > 100000000000` — flag top consumers.
Hunt: interactive console sessions from new geolocations, or logins shortly after password resets. Example (pseudo): `index=auth_events action="login" user!=service_account | stats count by user, src_geo | where count>5 AND earliest<relative_time(now(), "-14d")`
Hunt: list multipart upload completions or large object copies between internal buckets and external endpoints. Hunt tip: focus on `CopyObject`, `ComposeObject`, `MultipartUploadComplete`, or GCP `objects.copy()` events.
Hunt: suspicious use of help-desk tooling, ticket exports, or automation accounts performing broad read actions across tenants.
Hunt: EDR telemetry for processes that create large encrypted archives, spawn SFTP/rsync/scp, or execute cloud CLI tooling from unexpected hosts.
If you want, I can convert these to Sigma rules or give concrete Splunk/Syslog examples for your environment next.
title: Suspicious Cloud Storage Bulk Read
logsource:
product: gcp
detection:
selection:
event_name: ["storage.objects.list","storage.objects.get"]
condition: selection | count by serviceAccountEmail > 1000 within 1h
falsepositives:
- legitimate backup or data analytics pipeline activity (validate owner)
level: highPrepare a concise incident memo: scope, known impact, containment steps, customer notification plan, and regulatory obligations by jurisdiction (PII breach thresholds vary). Prioritize transparency with affected customers while avoiding unnecessary technical detail in public statements. Allocate budget for third-party forensics and legal counsel. Ensure PR/legal coordinate language around “no evidence of service disruption” vs. “investigation ongoing” to avoid misstatements.

148 malicious npm packages masquerading as student proxy and school Wi-Fi bypass tools. Rather than compromising developers during installation