| Report Number: | EOTISEC-2026-002 |
| Date of Report: | 17 March 2026 |
| Classification: | UNCLASSIFIED |
| Originator: | EOTISEC Analytical Division |
| Report Title: | Telus Digital Data Breach: ShinyHunters Supply Chain Exploitation and Near-Petabyte Exfiltration |
| Subject: | Assessment of the ShinyHunters-attributed breach of Telus Digital, in which valid Google Cloud Platform credentials obtained during the 2025 Salesloft Drift supply chain compromise were used to access multiple Telus Digital systems, resulting in the claimed exfiltration of close to one petabyte of corporate and customer data spanning Telus Digital’s business process outsourcing operations and Telus Corporation consumer telecommunications infrastructure. |
| Prepared By: | Glenda. G. |
| Reviewed By: | Dr. Sam Liles |
| Distribution: | Unrestricted |
SECTION 2: SCOPE AND PURPOSE
This report examines the cybersecurity breach affecting Telus Digital, the business process outsourcing and digital services subsidiary of Telus Corporation, as reported in open source media between March 12 and March 16, 2026. The main question this report addresses is: What was the nature, scope, and attack method of the Telus Digital breach, and what are the implications for organizations that share data with or rely on third-party BPO and technology service providers? This report does not evaluate the financial valuation or investment implications of the breach. It also does not analyze the Loblaw, Starbucks, or Citrix incidents mentioned in peripheral sources, except where those events inform the overall threat landscape. Furthermore, it does not identify specific individuals within ShinyHunters. This report relies solely on open source information available as of March 16, 2026. No classified or proprietary sources were consulted.
SECTION 3: KEY JUDGMENTS
Judgment 1.
We assess that ShinyHunters successfully breached Telus Digital systems by exploiting Google Cloud Platform credentials obtained during the 2025 Salesloft Drift supply chain compromise, and that this access pathway was almost certainly the primary vector for the intrusion. The breach is likely to have resulted in the exfiltration of data on the order of hundreds of terabytes to close to one petabyte.
Confidence: Moderate. The GCP credential origin is consistent across multiple independent reporting outlets and corroborated by ShinyHunters’ own statements to BleepingComputer, but Telus Digital has not publicly confirmed the specific attack vector and forensic validation of total data volume is not available in open source reporting.
Judgment 2.
We assess that the breach was not a perimeter intrusion but a trusted-access abuse operation in which ShinyHunters used valid credentials to move laterally across Telus Digital systems over an extended period. The attackers are very likely to have maintained dwell time measured in months before detection.
Confidence: Moderate. BleepingComputer first received notification of the breach in January 2026 while the Salesloft Drift source breach from which initial credentials were obtained occurred in 2025. Industry commentary from Info-Tech Research Group supports the extended dwell characterization. No forensic confirmation of exact dwell time is available in open source reporting.
Judgment 3.
We assess that the data stolen almost certainly includes sensitive customer-identifying information, call data records, and operational data belonging to multiple companies that use Telus Digital as a BPO provider. The breach is likely to carry downstream compliance, regulatory, and contractual exposure for those companies, even if their own systems were not directly compromised.
Confidence: Moderate. Reuters confirmed receipt of data samples from ShinyHunters describing dozens of affected companies and multiple data categories. Independent verification of the full scope of affected organizations and complete data categories has not yet been established.
Judgment 4.
We assess that organizations using Telus Digital for outsourced customer support, content moderation, or AI services face a roughly even chance of having had customer data exposed in this breach. The probability varies significantly by the nature and volume of data each organization transmitted to Telus Digital.
Confidence: Low to Moderate. The source base identifies 28 named companies as potentially affected but BleepingComputer declined to publish those names and has not independently confirmed impact for each. The actual number of affected downstream organizations may be higher.
Judgment 5.
We assess that the $65 million ransom demand ShinyHunters presented to Telus in February 2026 is unlikely to be paid. Telus Digital has reportedly declined to engage with the threat actors. We judge that the attackers will very likelyattempt public release or dark web sale of the stolen data.
Confidence: Moderate. Consistent reporting across Reuters, BleepingComputer, and CSO Online all indicate Telus is not communicating with ShinyHunters. ShinyHunters’ established operational pattern following non-payment in prior incidents has included data publication.
SECTION 4: SITUATION AND BACKGROUND
Telus Digital is the global digital services and business process outsourcing subsidiary of Telus Corporation, a major Canadian telecommunications company headquartered in Vancouver, British Columbia. Telus Digital provides customer support, content moderation, AI data services, fraud detection, and other outsourced operational functions to large enterprise clients that include technology companies, financial institutions, healthcare organizations, and media companies. Because BPO providers handle authentication, customer records, billing data, and operational systems for multiple enterprise clients through a single provider relationship, they represent high-value targets for threat actors seeking access to large volumes of cross-organizational data.
ShinyHunters is an extortion-focused cybercrime group that has been active since approximately 2020. The group specializes in data theft operations targeting Salesforce and other cloud SaaS environments. In recent months, ShinyHunters has expanded its methods to include voice phishing attacks in which group members impersonate IT support staff to capture employee credentials and MFA codes. The group has been attributed to breaches affecting companies including Google, Cisco, LVMH, Qantas, Jaguar Land Rover, PowerSchool, Panera Bread, Wynn Resorts, and Dutch wireless carrier Odido.
The foundational event enabling this breach was the 2025 Salesloft Drift supply chain compromise. In that incident, attackers compromised Salesloft’s GitHub environment and stole OAuth tokens from the Drift chatbot integration. Those tokens were used to access customer data stored in Salesforce for approximately 760 companies, including customer support tickets and case data. Mandiant reported that credentials and authentication tokens found within that data were subsequently used to breach additional platforms. ShinyHunters states they found Google Cloud Platform credentials for Telus Digital within the Salesloft Drift data. This is the reported source of initial access to Telus Digital’s environment.
Using the GCP credentials, ShinyHunters accessed Telus Digital systems including a large BigQuery instance. After downloading that data, the attackers used the open-source credential-scanning tool trufflehog to identify additional credentials embedded in the data, then used those credentials to pivot laterally into additional Telus systems. The breach encompasses both Telus Digital’s BPO operations and some elements of Telus Corporation’s consumer telecommunications infrastructure, including call data records. BleepingComputer received notice of the breach in January 2026 but could not obtain confirmation from Telus at that time. Telus publicly confirmed the breach on or around March 12, 2026. ShinyHunters has stated that it sent a ransom demand of $65 million to Telus in February 2026 and received no response.
Telus Digital issued a formal statement confirming unauthorized access to a limited number of systems, describing active investigation with cyber forensics experts and law enforcement, and noting that business operations and customer connectivity were unaffected. Telus reversed its 2021 spinoff of Telus Digital in September 2025, paying US$539 million to reacquire shares it did not already own. That transaction completed shortly before the breach became public.
This report represents initial analytical coverage of this incident. No prior EOTISEC assessment exists on this subject.
SECTION 5: ANALYSIS
5a. Attack Pathway and Technical Assessment
The source material indicates that ShinyHunters gained initial access to Telus Digital systems through GCP credentials discovered in data previously stolen from Salesloft. This is a textbook third-party credential harvesting scenario: an organization’s credentials were exposed not through a direct attack on that organization but through a compromise of a trusted downstream vendor. The organization had no direct line of defense against that initial theft.
Based on this reporting, we assess that the attack pattern reflects intentional targeting of the Telus Digital BPO environment specifically because of its value as an aggregator of multiple clients’ data. Attackers who breach a BPO provider do not acquire one company’s data; they acquire dozens. The reported use of trufflehog to scan downloaded data for embedded credentials demonstrates a systematic, methodical approach to lateral movement rather than opportunistic exploitation. This is consistent with ShinyHunters’ known operational profile.
LINCHPIN ASSUMPTION: The analysis rests on the accuracy of ShinyHunters’ stated attack pathway as reported by BleepingComputer. If the GCP credential vector is inaccurate or if the Salesloft Drift breach was not the actual source, the attack pathway described here is incorrect. Telus Digital’s forensic investigation has not publicly confirmed this vector. This assumption should be revisited when forensic findings become available.
Alternative Hypothesis 1: The breach may have originated through a separate, unrelated initial access vector, such as direct credential phishing of Telus Digital employees, exploitation of an unpatched vulnerability, or access obtained through a different supply chain relationship. We judge this alternative to be unlikely given the consistency of ShinyHunters’ statements across independent publications and the alignment of the stated vector with Mandiant’s published findings on the Salesloft Drift breach. It is possible but unlikely that ShinyHunters is fabricating or embellishing the attack origin to obscure a simpler intrusion method.
5b. Dwell Time and Detection Lag
The source material indicates that BleepingComputer first received reports of the breach in January 2026 while the Salesloft Drift source breach occurred in 2025. The ransom demand arrived in February 2026. Telus did not publicly confirm the breach until March 12, 2026. This sequence implies a dwell period of several months between initial access and public disclosure.
Based on this reporting, we assess that the extended dwell time reflects the nature of the attack: slow, methodical data staging using valid credentials generates traffic that appears legitimate to conventional perimeter and signature-based detection. This is consistent with the CSO Online commentary from Info-Tech Research Group’s principal security advisor, who characterized the breach as an abuse of legitimate trusted access rather than overt technical exploitation.
The detection lag creates compounding risk for Telus Digital’s enterprise customers. If customer data was accessible to ShinyHunters for multiple months, that data may have been shared, sold, or used to enable secondary attacks against those customers prior to any notification. Organizations that received breach notifications from Telus Digital should assess whether any anomalous activity within their own environments during the preceding months warrants investigation.
5c. Scope of Compromised Data
The source material, primarily from BleepingComputer, describes the stolen data as including customer support records, call center agent performance ratings, AI-powered customer support data, fraud detection information, content moderation data, source code, FBI background check data, Salesforce data, financial information, call data records with metadata, voice recordings, and campaign data. Data types vary by client and business function.
We assess that the breadth of data categories reflects the full operational scope of Telus Digital’s services. Because Telus Digital acts as an outsourced operations provider, it necessarily holds substantial volumes of each client’s operational data. The presence of FBI background check data suggests that at least some Telus Digital clients are subject to federal contracting requirements or operate in sectors requiring government-grade background investigations. The compromise of this data category carries heightened sensitivity.
Alternative Hypothesis 2: ShinyHunters may be overstating the volume and sensitivity of data stolen in order to maximize leverage for ransom payment and increase reputational damage to accelerate payment or generate publicity. We judge this alternative to be possible but unlikely to substantially change the overall threat picture. Even a partial exfiltration of the data categories described would represent a serious breach given the sensitivity of call records, voice recordings, source code, and background check information.
5d. Implications for Third Parties Using Telus Digital Services
The downstream risk to Telus Digital’s enterprise customers is the most significant analytical concern in this assessment. Companies that use Telus Digital for BPO operations should assess whether they have contractual data incident notification rights, what data they transmitted to or stored with Telus Digital in the relevant period, and whether applicable privacy regulations such as PIPEDA, GDPR, CCPA, or HIPAA require independent breach notifications to their own customers.
Organizations subject to U.S. federal contracting requirements, including DFARS, NIST 800-171, or CMMC obligations, should assess whether data processed by Telus Digital included controlled unclassified information or covered defense information. If it did, the contracting organization likely has independent reporting obligations to the relevant government agencies regardless of whether Telus Digital provides formal breach notification. The presence of FBI background check data in the reported stolen trove raises the probability that some Telus Digital clients are federal contractors or regulated entities with elevated reporting responsibilities.
We assess that the incident almost certainly represents a supply chain security failure from the perspective of Telus Digital’s downstream customers. Those customers outsourced operational functions to Telus Digital under an assumption that Telus Digital maintained security controls adequate to protect shared data. The failure originated not at the network perimeter but in the credential management and third-party vendor risk management practices of Telus Digital’s own supply chain, specifically its relationship with Salesloft. This chain of trust failure illustrates the recursive nature of third-party risk: an organization’s security posture is bounded not just by its own controls but by the controls of every vendor with access to its data, and by the controls of every vendor that those vendors themselves use.
5e. Threat Actor Assessment: ShinyHunters
ShinyHunters continues to demonstrate a level of operational discipline and methodological consistency that distinguishes it from opportunistic criminal groups. The group’s focused targeting of cloud SaaS environments, systematic credential harvesting from compromised data, and use of legitimate tooling such as trufflehog to expand access within breached environments all reflect a mature and deliberate operational model. The group’s recent expansion into voice phishing to capture SSO credentials adds a social engineering dimension that extends its reach into organizations with strong technical controls but weaker human-factor defenses.
The group’s willingness to contact media directly, share data samples with journalists, and issue public extortion demands reflects a secondary objective of generating reputational pressure on victims to pay ransoms. This behavior is consistent across ShinyHunters’ handling of previous victims. Organizations that do not engage with the group should expect escalating public disclosure as the group’s primary tool to compel payment.
This report covers the incident as reported through March 16, 2026. Future reporting will address confirmed forensic findings, data publication activity, and downstream regulatory and legal developments.
SECTION 6: INFORMATION GAPS AND COLLECTION REQUIREMENTS
1. Forensic confirmation of the attack vector. What is unknown: Whether Telus Digital’s forensic investigation confirms the GCP credential pathway from the Salesloft Drift breach as the actual initial access vector. Why it matters: This is a linchpin assumption for the entire attack pathway assessment. If confirmed, it validates the supply chain exploit characterization. If refuted, the assessment of how the attack was executed requires revision. Collection needed: Official Telus Digital forensic findings or public statements from the forensic investigation team or law enforcement.
2. Confirmed identity and volume of affected downstream clients. What is unknown: The names and total number of companies whose data was exposed. BleepingComputer was provided 28 names but declined to publish them without independent verification. Why it matters: The scope of downstream regulatory and legal exposure depends heavily on which industries and jurisdictions are represented among the affected clients. Collection needed: Official notification letters from Telus Digital to affected customers, regulatory disclosures, or independent confirmation from named companies.
3. Actual volume of exfiltrated data. What is unknown: The confirmed total volume of data removed from Telus Digital systems. Reports range from 700 terabytes to close to one petabyte depending on the source and timing of reporting. Why it matters: Volume affects the scope of remediation, notification obligations, and the credibility of the extortion demand. Collection needed: Forensic findings from Telus Digital or law enforcement.
4. Identity of federal contractors or regulated entities among affected clients. What is unknown: Whether any of the 28 or more affected companies are subject to U.S. federal contracting requirements, HIPAA, or other regulatory frameworks that impose independent breach reporting obligations. Why it matters: If federal contractors are among the affected parties, the incident may have national security implications beyond commercial data exposure. Collection needed: Public records of Telus Digital client relationships, regulatory filings, and federal contracting disclosures.
5. Status of ransom negotiation and data publication timeline. What is unknown: Whether ShinyHunters has posted or sold any portion of the stolen data following Telus Digital’s refusal to negotiate. Why it matters: Data publication or sale would trigger a new phase of downstream harm and require notification assessments for affected clients. Collection needed: Dark web monitoring, threat intelligence feeds, and continued open source reporting tracking ShinyHunters operational activity.
6. Scope of the Salesloft Drift credential exposure affecting other organizations. What is unknown: How many other organizations had credentials exposed in the Salesloft Drift breach that have not yet been exploited. Why it matters: The Telus Digital breach may be one of multiple exploitation campaigns flowing from the same credential pool. Other organizations may face breaches using the same attack pathway. Collection needed: Mandiant’s full reporting on the Salesloft Drift breach and updates from affected organizations.
SECTION 7: SOURCE SUMMARY STATEMENT
This report rests entirely on open-source commercial news and industry reporting published between March 12 and March 16, 2026. No classified, proprietary, or first-party forensic sources were used. The source base is recent and directly relevant to the subject matter.
The most significant sources for this report are the BleepingComputer article authored by Lawrence Abrams dated March 12, 2026, and the Cybersecurity Dive article authored by Eric Geller dated March 16, 2026. Both outlets have an established record of cybersecurity incident reporting and have published extensively on ShinyHunters. BleepingComputer in particular received direct communications from ShinyHunters and reviewed data samples, which confers elevated credibility relative to outlets relying solely on Telus Digital’s public statements.
Reuters reporting from March 12, 2026 provides independent corroboration of data sample content based on material shared by ShinyHunters directly with Reuters journalists. The Canadian Press reporting from March 13, 2026 captures official Telus Digital spokesperson statements. TechRadar Pro and SC Staff reporting add additional corroborating detail without presenting new primary source material.
Simply Wall St analyst commentary from March 14, 2026 was reviewed for unique technical details but is primarily a financial analysis product and was not used as a source for technical or threat assessments.
The principal limitation of this source base is its dependence on ShinyHunters’ self-reported account of the attack methodology and data volumes. ShinyHunters has a direct incentive to overstate the scope of the breach to maximize ransom leverage and reputational damage. All size estimates and attack vector claims attributed to ShinyHunters should be treated as unverified pending forensic confirmation. Telus Digital’s own public statements are limited to confirmations of unauthorized access and active investigation, and do not confirm or deny the specific claims made by ShinyHunters. The risk of denial and deception in this source environment is rated moderate: ShinyHunters has an incentive to exaggerate, and Telus Digital has an incentive to minimize.
SECTION 8: ICD 503 CONSIDERATIONS
This section is applicable. The subject matter is entirely within the information technology, cybersecurity, and supply chain risk domains.
Risk to Information Systems. The breach exposed the fundamental vulnerability of cloud-hosted BPO environments that aggregate sensitive data across multiple enterprise clients. The BigQuery instance accessed by ShinyHunters represents a high-value data store that concentrated data across Telus Digital’s entire client base. Cloud data warehousing and analytics environments of this type frequently contain derived data, reporting outputs, and operational extracts that carry higher sensitivity than the individual transactions from which they are built. The presence of hardcoded or embedded credentials within data stored in cloud environments, discoverable through tools like trufflehog, represents a systemic credential hygiene failure.
NIST Risk Management Framework Alignment. Framed against the NIST Risk Management Framework as incorporated by ICD 503, the Telus Digital breach illustrates failures at multiple control levels. The Identify function failed to account for the risk that valid credentials held by or discoverable from a third-party vendor could be used to gain initial access. The Protect function failed to enforce least-privilege access controls on the BigQuery environment and to prevent lateral movement from an initial foothold. The Detect function failed to identify anomalous bulk data access and exfiltration over what is assessed to be a multi-month period. The Respond function was delayed, with public confirmation coming months after the initial compromise. The Recover function is currently active but its scope remains undefined in open source reporting.
Authorization, Certification, and Accreditation. The source material does not reference any authorization, certification, or accreditation status for Telus Digital systems under ICD 503 or equivalent frameworks. It is unknown from open source reporting whether Telus Digital maintained FedRAMP authorization, SOC 2 certification, or other relevant security certifications applicable to the systems compromised.
Continuous Monitoring Implications. The extended dwell time assessed in this report indicates that Telus Digital’s continuous monitoring posture was insufficient to detect anomalous data access patterns consistent with the described attack. Data-centric monitoring with behavioral baselines for user and service account activity against large cloud data stores, combined with threshold alerting for bulk access operations, represents the minimum monitoring posture needed to detect this class of attack. Organizations reviewing their own monitoring programs following this incident should specifically assess whether their monitoring tools distinguish between normal operational access and access patterns indicative of data staging.
Supply Chain Risk. The Telus Digital breach is fundamentally a supply chain security incident from the perspective of Telus Digital’s enterprise clients. It also has a recursive supply chain dimension: Telus Digital was compromised through credentials exposed in its vendor’s (Salesloft’s) breach of a sub-vendor (Drift). This recursive chain illustrates the depth to which supply chain risk can propagate and the inadequacy of point-in-time vendor assessments that do not account for the vendor’s own third-party dependencies. Organizations with third-party risk management programs should assess whether their vendor questionnaires and contracts address vendor-of-vendor risk, require vendors to disclose when their own supply chain experiences a breach that could expose credentials used to access the contracting organization’s data, and impose contractual obligations to notify upon discovery of credential exposure in third-party breaches.
Insider Threat and Advanced Persistent Threat Dimensions. ShinyHunters does not meet the traditional definition of an advanced persistent threat in the nation-state sense, but its operational characteristics in this incident closely mirror APT methodology: extended dwell time, legitimate credential use, lateral movement, and patient data staging. Organizations that rely on perimeter defense and malware-detection-focused monitoring programs will not reliably detect this class of adversary. The attack also created conditions functionally similar to an insider threat, in that the attacker operated with valid credentials and legitimate-appearing access patterns for an extended period.
ATT&CK Technique Mapping. The following MITRE ATT&CK Enterprise techniques are assessed as applicable to the Telus Digital breach based on the source material. Rows marked REPORTED reflect techniques directly described in source material. Rows marked ASSESSED reflect analytical inferences not explicitly confirmed.
| Technique ID | Technique Name | Tactic | Application to This Incident |
| T1078.004 | Valid Accounts: Cloud Accounts | Initial Access | REPORTED. ShinyHunters used GCP cloud account credentials obtained from the Salesloft Drift breach to gain initial access to Telus Digital systems. Telus Digital did not detect the use of these credentials as anomalous at the time of initial access. |
| T1528 | Steal Application Access Token | Credential Access | REPORTED. The Salesloft Drift breach involved theft of OAuth tokens from the Drift chatbot integration. These tokens enabled access to Salesforce data for hundreds of organizations. The Telus GCP credentials were discovered within that data, making this technique foundational to the attack chain. |
| T1552.001 | Unsecured Credentials: Credentials in Files | Credential Access | REPORTED. ShinyHunters used the open-source tool trufflehog to scan data downloaded from the Telus BigQuery instance for embedded credentials. This technique yielded additional credentials enabling lateral movement into other Telus systems. |
| T1530 | Data from Cloud Storage | Collection | REPORTED. ShinyHunters downloaded a large BigQuery instance containing Telus Digital data. Bulk download of this instance constitutes direct data collection from cloud storage infrastructure. |
| T1210 | Exploitation of Remote Services | Lateral Movement | ASSESSED. Based on ShinyHunters’ described use of credentials found via trufflehog to access additional Telus systems beyond the initial BigQuery instance, we assess that lateral movement across remote services occurred. Specific services accessed beyond BigQuery are not confirmed in open source reporting. |
| T1567.002 | Exfiltration Over Web Service: Exfiltration to Cloud Storage | Exfiltration | ASSESSED. The scale of exfiltration (close to one petabyte) and the use of cloud infrastructure throughout the attack environment suggest data was staged and exfiltrated through cloud services rather than traditional C2 channels. Specific exfiltration channels are not confirmed. |
| T1657 | Financial Theft | Impact | REPORTED. ShinyHunters demanded $65 million from Telus Digital in exchange for not publishing stolen data. This constitutes an extortion operation using stolen data as leverage, mapping to the Financial Theft technique in the context of data-leveraged extortion. |
| T1566.004 | Phishing: Voice Phishing | Initial Access | REPORTED (for ShinyHunters generally; not confirmed specific to this incident). Source material describes ShinyHunters conducting vishing campaigns impersonating IT support staff to harvest SSO credentials. This technique is noted as part of the group’s current operating methodology and may represent a future access vector for follow-on operations. |
Note: Source material does not provide sufficient detail to map specific techniques for the Reconnaissance or Resource Development phases of the kill chain. The attack’s pre-access activities are inferred from the Salesloft Drift breach reporting but are not independently confirmed for the Telus-specific campaign.
D3FEND Countermeasure Mapping. The following MITRE D3FEND defensive countermeasures are mapped to the ATT&CK techniques identified above.
| D3FEND Technique | D3FEND ID | Addresses ATT&CK | Application and Priority |
| Multi-Factor Authentication | D3-MFA | T1078.004, T1566.004 | Enforcing MFA on all cloud account access, including service accounts and administrative GCP credentials, would have materially increased the cost of exploiting the stolen GCP credentials. Phishing-resistant MFA such as FIDO2 hardware tokens provides stronger mitigation than TOTP-based codes. HIGH PRIORITY: This countermeasure directly addresses the primary assessed attack vector. |
| Credential Hardening | D3-CH | T1528, T1552.001 | Implementing controls to detect and prevent embedding of credentials in data stores, configuration files, and support tickets would have reduced the effectiveness of ShinyHunters’ trufflehog scanning. Secrets management tooling, pre-commit hooks, and automated credential scanning address this class of exposure. HIGH PRIORITY: Embedded credential discovery was the mechanism for lateral movement in this incident. |
| User Behavior Analysis | D3-UBA | T1078.004, T1210 | Behavioral analytics establishing baselines for cloud account access patterns and flagging anomalous bulk queries, downloads, or lateral movement would have detected the extended dwell period. This countermeasure is specifically relevant to attacks using valid credentials, where signature-based detection provides no signal. HIGH PRIORITY: The multi-month undetected dwell time is the single most consequential failure in this incident. |
| Data Access Policy Enforcement | D3-DAPE | T1530, T1210 | Implementing granular access controls on the BigQuery instance, enforcing least-privilege principles, and requiring justification for bulk data access operations would have restricted the scope of data accessible following initial credential compromise. MODERATE PRIORITY: This countermeasure addresses the data collection phase rather than the initial access vector but would have substantially limited the volume of data accessible to the attacker. |
| Network Traffic Analysis | D3-NTA | T1567.002 | Monitoring for anomalous outbound data transfer volumes from cloud storage services would have created detection opportunities during the exfiltration phase. Given the scale of the assessed exfiltration, even coarse volume threshold alerting should have generated detectable signals. MODERATE PRIORITY: This countermeasure addresses the exfiltration phase and would have reduced the total volume stolen even if it did not prevent initial access. |
| Supply Chain Security | D3-SCS | T1528, T1078.004 | Requiring vendors to disclose breaches affecting credentials that could be used to access the organization’s systems and implementing contractual requirements for vendor-of-vendor security posture assessments would have created notification triggers when the Salesloft Drift breach occurred. MODERATE PRIORITY: This countermeasure addresses the supply chain origin of the initial credential exposure. |
| Credential Compromise Scope Analysis | D3-CCSA | T1078.004, T1528 | Systematic analysis of credential exposure following third-party breaches, including scanning owned data stores for credentials that may have been exposed in vendor incidents, provides an opportunity to detect and rotate compromised credentials before exploitation. Applied following the Salesloft Drift breach, this process may have identified the GCP credentials before ShinyHunters used them. LOW TO MODERATE PRIORITY: Highly effective as a detection gap closure but requires organizational awareness of third-party breach events and a systematic response program. |
Both the ATT&CK and D3FEND mappings in this section are based on open source reporting as of March 16, 2026, and should be updated as confirmed forensic findings become available. Technique mappings marked as ASSESSED should be validated against environmental telemetry before making defensive investment decisions. Priority designations in the D3FEND table are grounded in the specific attack pattern identified in this report and should not be treated as generic ratings applicable to other incident types.
SECTION 9: ANALYTIC TRADECRAFT SELF-CERTIFICATION
This section certifies that the report was produced in conformance with ICD 203 Analytic Standards.
Objectivity: CONFIRMED. No advocacy, personal preference, or policy bias is present. Telus Digital’s public statements and ShinyHunters’ claims are treated with equivalent skepticism. Financial commentary from analyst sources was excluded from the analytical assessment.
Independence of Political Consideration: CONFIRMED. No judgment was shaped to support any particular outcome or audience preference. The finding that Telus Digital’s monitoring and credential management controls failed is stated directly.
Timeliness: CONFIRMED. All source material was published between March 12 and March 16, 2026, within five days of the incident becoming public. The report addresses matters currently actionable by affected organizations.
Based on All Available Sources: CONFIRMED. All source material provided was considered. Gaps requiring additional sources to reduce uncertainty are documented in Section 6.
Source Credibility Described: CONFIRMED. Source quality is addressed in Section 7, including characterization of ShinyHunters’ incentive to overstate and Telus Digital’s incentive to minimize.
Uncertainty Expressed: CONFIRMED. ICD 203 probability and confidence language is used consistently throughout. No probability terms and confidence level terms are combined in the same sentence.
Assumptions Distinguished from Facts: CONFIRMED. All assumptions are labeled. The linchpin assumption regarding the Salesloft Drift credential pathway is identified and labeled explicitly in Section 5a.
Alternatives Incorporated: CONFIRMED. Two alternative hypotheses are addressed in Sections 5a and 5c. Each is assessed against the primary judgment using ICD 203 probability language.
Customer Relevance Addressed: CONFIRMED. Implications for organizations using Telus Digital as a BPO provider, for federal contractors and regulated entities among affected clients, and for organizations reviewing third-party risk programs are addressed specifically in Section 5d.
Clear and Logical Argumentation: CONFIRMED. Key judgments are stated in Section 3. All judgments are supported by evidence and reasoning in Section 5. Analytical inferences are distinguished from reported facts throughout.
ATT&CK and D3FEND Mapping Completed: CONFIRMED. ATT&CK technique mapping and D3FEND countermeasure mapping are included in Section 8. REPORTED and ASSESSED technique attributions are distinguished in the Application column. Priority designations in the D3FEND table are grounded in the specific incident and attack pattern.
SECTION 10: ENDNOTES (Partial List of Sources)
1. Classification: Unclassified. Title: “Telus Digital confirms breach after hacker claims 1 petabyte data theft.” Publisher: BleepingComputer. Author: Lawrence Abrams. Date: March 12, 2026. URL: https://www.bleepingcomputer.com. Source descriptor: Commercial cybersecurity news outlet with a sustained record of incident reporting and direct communication with threat actors. BleepingComputer received data samples from ShinyHunters and confirmed call center record content. High credibility for technical and operational details; threat actor self-reporting requires corroboration.
2. Classification: Unclassified. Title: “Telus Digital confirms hack as ShinyHunters claims credit for massive data theft.” Publisher: Cybersecurity Dive. Author: Eric Geller. Date: March 16, 2026. Source descriptor: Commercial cybersecurity trade publication. This is the most recent and comprehensive aggregation of incident details available in the source base. Moderate to high credibility; relies on BleepingComputer and Reuters as primary sources.
3. Classification: Unclassified. Title: “Canadian telecom Telus says it’s investigating a cyber-breach.” Publisher: Bloomberg News via Financial Post. Authors: Thomas Seal and Margi Murphy. Date: March 12, 2026. Source descriptor: Major commercial news wire. Bloomberg received data samples directly from ShinyHunters. High credibility for reported data categories and ShinyHunters extortion demand details.
4. Classification: Unclassified. Title: “Telus says it is investigating hack of its systems.” Publisher: Reuters. Author: AJ Vicens. Date: March 12, 2026. Source descriptor: Major international news wire. Reuters received and reviewed data samples from ShinyHunters. High credibility for confirming stolen data categories including personally identifiable information, call data, and background check information.
5. Classification: Unclassified. Title: “Hackers reportedly stole nearly 1,000TB of data from Telus Digital.” Publisher: MobileSyrup. Author: Dean Daley. Date: March 12, 2026. Source descriptor: Canadian technology news publication. Adds detail regarding Salesloft Drift credential origin and trufflehog tool use, attributed to BleepingComputer. Moderate credibility; secondary sourcing.
6. Classification: Unclassified. Title: “Telus Digital confirms breach after hacker claims 1 petabyte data theft.” Publisher: TechRadar Pro. Author: Sead Fadilpasic. Date: March 13, 2026. Source descriptor: Commercial technology news publication. Adds detail on ShinyHunters’ use of GCP credentials from the Salesloft Drift breach and the BigQuery access vector. Moderate credibility; secondary sourcing from BleepingComputer.
7. Classification: Unclassified. Title: “Telus Digital hit with massive data breach.” Publisher: CSO Online. Date: March 12, 2026. Source descriptor: Commercial security trade publication. Includes primary commentary from Fritz Jean-Louis, principal cybersecurity advisor at Info-Tech Research Group, characterizing the attack as trusted-access abuse with extended dwell time. Moderate to high credibility for analytical characterization.
8. Classification: Unclassified. Title: “Telus Digital investigates cyberattack on ‘limited number’ of its systems.” Publisher: The Canadian Press. Date: March 13, 2026. Source descriptor: Official Canadian national news wire. Contains official spokesperson statements from Telus Digital’s Richard Gilhooley confirming investigation, forensics engagement, and law enforcement cooperation. High credibility for official organizational response characterization.
9. Classification: Unclassified. Title: “Telus Digital affirms hack following ShinyHunters assertions.” Publisher: SC Staff (SC Magazine). Date: March 13, 2026. Source descriptor: Commercial security news publication. Adds detail on ShinyHunters’ $65 million ransom demand and Telus Digital’s rejection. Moderate credibility; aggregates reporting from BleepingComputer.
10. Classification: Unclassified. Title: “Outsourcer Telus admits to attack – may have lost a petabyte of data to ShinyHunters.” Publisher: The Register. Authors: Jessica Lyons and Connor Jones. Date: March 15, 2026. Source descriptor: Commercial technology and security news publication. Provides summary of the incident within a broader security roundup. Moderate credibility; secondary sourcing from BleepingComputer and Telus public statements.11. Classification: Unclassified. Title: TELUS Cybersecurity Breach analyst commentary (two articles). Publisher: Simply Wall St. Dates: March 14 and March 15, 2026. Source descriptor: Investment analyst commentary reviewed for unique technical details only. Not used for technical or threat as
About the Author
