TELUS Digital probes suspected cloud data theft as ShinyHunters claims massive trove

A scam call that felt too real

The phone number on Hannah McLeod’s screen looked like it belonged to her phone company. The man on the line knew her full name, the exact amount of her last bill, the date she upgraded her device and the promotional offer she had declined six months earlier.

He said he was calling from TELUS about “unusual activity” on her account and offered to process a refund and a security check. Only when he asked her to read out a one-time passcode did McLeod hang up.

“I’ve had scam calls before, but never where they knew everything,” she wrote in a post on Reddit. “It felt like they were reading off my account screen.”

McLeod’s experience has circulated online as TELUS Digital—the global digital services arm of Canadian telecom giant TELUS Corp.—confirms it is investigating a cybersecurity incident that could rank among the largest data thefts ever disclosed by a Canadian company.

What TELUS has confirmed

TELUS says it identified “unauthorized access to a limited number of our systems” within TELUS Digital and has engaged outside cyber forensics experts while working with law enforcement.

In an online notice posted in mid-March, the company said it took “immediate steps to stop the activity and secure our systems,” and added that TELUS Digital operations “remain fully operational” with “no evidence of disruption to customer connectivity or services.”

TELUS has not publicly detailed how attackers gained access, how long they remained in its systems, or what volume of data—if any—was taken. The company has said it is “notifying impacted customers as appropriate.”

ShinyHunters’ claims: nearly a petabyte and a $65 million demand

On underground hacking forums, the data-extortion group ShinyHunters claims it stole almost a petabyte of data from TELUS Digital’s Google Cloud environment and attempted to extort US$65 million in exchange for deleting the material.

The group’s account, summarized by security news outlets including TechRadar Pro and BleepingComputer, alleges the attackers:

• Used Google Cloud Platform credentials tied to TELUS Digital.
• Accessed a BigQuery analytics environment.
• Downloaded large datasets and searched for additional passwords and keys to move deeper into internal systems.

ShinyHunters claims it exfiltrated at least 700 terabytes of data, spanning customer information, internal code repositories and operational records.

None of these specifics have been independently verified by TELUS or police, and the company has not publicly responded to detailed technical questions.

A possible link to an earlier supply-chain breach

Security researchers say the TELUS case may sit at the end of a complicated supply-chain trail that began elsewhere.

According to reports about a separate 2025 campaign, threat actors compromised a GitHub account used by U.S.-based sales software vendor Salesloft and then pivoted into infrastructure used by its conversational marketing arm, Drift. Investigators later found that attackers stole OAuth access tokens—digital permission slips that allow one service to connect to another—enabling access to customers’ Salesforce and other cloud services.

Google’s threat intelligence team tracked that campaign under the identifier UNC6395, and ShinyHunters later took credit for it.

Researchers say cloud keys and tokens stolen in that earlier campaign were sometimes sold or reused long after disclosure, contributing to later intrusions at other organizations. TELUS has not said publicly whether it was a direct customer of Salesloft or Drift, or whether any TELUS credentials were exposed through those systems.

If ShinyHunters’ account is accurate, TELUS Digital would be a “downstream” victim—compromised not because its own environment was the first point of entry, but because credentials surfaced in data stolen from another company.

Why TELUS Digital is a high-value target

Formerly known as TELUS International, TELUS Digital runs contact centers and digital services operations across dozens of countries. It provides customer support, back-office processing, content moderation and AI data labeling for clients in telecommunications, technology, finance, gaming, media and healthcare.

That role can make firms like TELUS Digital major data handlers for information belonging not only to their parent companies, but also to third-party clients and those clients’ end users.

TELUS has not specified what categories of information may have been accessed. But telecom and business process outsourcing firms commonly handle data such as names, addresses, phone numbers, billing records and customer support transcripts. Some operations also process identity-verification information, depending on the client and service.

Reports of convincing fraud—and what consumers can do

Online, some self-identified TELUS customers have reported a recent surge in convincing scam calls and phishing emails, including fraudsters who accurately recite historical billing information or account changes. These accounts cannot be definitively linked to the TELUS Digital incident, but privacy advocates say the timing raises concern.

Telecom account data is especially valuable because it can be used for targeted phishing, SIM-swap attempts and account takeover—potentially enabling attackers to intercept calls or text messages used for two-factor authentication.

Regulatory and legal stakes in Canada and beyond

As a national telecom and large data processor, TELUS is subject to Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) and various provincial privacy laws.

Since 2018, PIPEDA has required organizations to report to the Office of the Privacy Commissioner of Canada and notify affected individuals about breaches that pose a “real risk of significant harm,” including identity theft and financial loss.

Legal analysts say the alleged scale and sensitivity of the TELUS Digital incident would be likely to draw scrutiny from federal and provincial regulators, including in jurisdictions such as Alberta and Quebec, which have their own notification rules.

The incident also lands amid an unsettled reform landscape. Proposed federal legislation—Bill C-27, which would have replaced PIPEDA with a tougher Consumer Privacy Protection Act—lapsed when Parliament was prorogued in early 2025, leaving Canada with fewer enforcement powers than regulators in the European Union, where GDPR penalties can reach 4% of global annual revenue.

Given TELUS Digital’s international footprint, foreign regulators could also take interest if information tied to European Union residents, U.S. consumers, or sector-regulated data (such as healthcare or banking records) is implicated.

A broader lesson: the hidden risk of outsourced data flows

Security professionals say the incident underscores the challenge organizations face in mapping where sensitive data and credentials travel across cloud platforms and outsourced providers.

The earlier Salesloft-Drift campaign showed how a compromise in one vendor’s development tools could cascade into another’s cloud environment—and then into hundreds of customers’ systems. The TELUS Digital investigation, if the extortion group’s claims are borne out, would represent another step down that chain.

For customers like McLeod, the technical nuances of OAuth tokens and BigQuery datasets matter less than the everyday reality: a phone rings with a familiar number, and a stranger on the line seems to know far more than they should.

As TELUS and investigators work to determine what happened, regulators and lawmakers in Canada and abroad will be watching for answers—how many people are affected, what data was taken, and how long any unauthorized access lasted—and whether the incident becomes a catalyst for stronger data-protection rules.