On March 12, a Canadian tech giant confirmed every business owner’s worst nightmare: hackers had been inside their systems for months, quietly siphoning off nearly one petabyte of data. That’s roughly 1,000 terabytes — enough to hold every book ever written, several times over.
The company was TELUS Digital, the business process outsourcing arm of one of Canada’s largest telecommunications companies. The attackers? A notorious hacking group called ShinyHunters — the same group linked to breaches at Ticketmaster, Santander, and dozens of other companies — demanding $65 million in ransom.
But what’s most alarming isn’t the scale. It’s how it happened.
They Didn’t Break In — They Walked In
ShinyHunters didn’t exploit some exotic zero-day vulnerability. They didn’t brute-force a password. They found Google Cloud Platform credentials buried in data stolen from an entirely different company — a 2025 breach of Salesloft’s Drift chatbot integration that exposed data from roughly 760 organizations.
Those credentials opened the door to TELUS Digital’s BigQuery databases. From there, the attackers used an open-source tool called Trufflehog — normally a defensive security tool — to scan the downloaded data for more credentials, pivoting from system to system, deeper and deeper into TELUS infrastructure. Their exfiltration was slow and controlled, designed to look like normal traffic.
As Fritz Jean-Louis, a principal cybersecurity advisor at Info-Tech Research Group, put it:
“Attackers no longer need to ‘break in’ if they can blend in.”
The breach went undetected for months. Multi-month dwell time. Massive data volumes. Delayed detection. These aren’t the hallmarks of a sophisticated technical exploit — they’re signs that legitimate access was abused, and nobody noticed.
What Was Stolen
The scope of the breach is staggering. The stolen data reportedly includes:
- Customer support records and call center operations data
- Voice recordings of support calls
- Agent performance metrics and AI-driven support tooling
- Source code and financial records
- FBI background checks on employees
- Salesforce data and fraud detection systems
- Call records from TELUS’s consumer telecom division — including when calls were placed, their duration, and who was calling whom
ShinyHunters named 28 client companies as affected, though those claims haven’t been independently verified.
The Cookie-Cutter Problem
Here’s the uncomfortable truth that this breach exposes: TELUS Digital is not a small company with a shoestring security budget. They’re a publicly traded corporation with dedicated security teams, enterprise tooling, and compliance frameworks.
TELUS stock dropped nearly 7% in the 30 days following the breach, and analysts are now questioning the impact on enterprise client confidence. This is a company with real resources — and it still wasn’t enough.
The breach succeeded because of something no off-the-shelf security product can fully protect against — a chain of trust that spanned multiple vendors, cloud platforms, and credential stores, all connected in ways that were unique to TELUS Digital’s environment.
This is the fundamental problem with cookie-cutter security:
Generic tools protect against generic threats. If an attacker is using your specific cloud credentials from your specific third-party vendor’s breach, no one-size-fits-all firewall rule is going to catch that.
Compliance checklists aren’t security strategies. You can tick every box on a SOC 2 audit and still have stolen credentials sitting in a dataset you don’t even know was compromised.
Vendor sprawl creates invisible attack surfaces. Every SaaS tool, every integration, every OAuth token is a potential link in a chain an attacker can exploit. Understanding your specific chain requires someone who understands your business.
The Big-Name Trap
There’s a reason so many businesses — small ones especially — sign up with large security vendors. The sales pitch is reassuring. The logo is recognizable. The slide deck is polished. You walk out of the meeting thinking, “We’re covered.”
But here’s the reality: to that vendor, you’re account #4,782. Your contract is a line item. Your onboarding is a template. The sales team that made you feel like a priority moves on to the next prospect the moment the deal closes.
Nobody at that big security company is going to sit down and trace how your QuickBooks instance connects to your cloud storage, which syncs to your CRM, which has an OAuth token from a marketing tool you forgot you installed two years ago. They don’t know your business well enough to do that — and they have no economic incentive to try. They sell a product. They don’t learn your operation.
This creates a dangerous gap between what you think you’re getting and what you actually have. You think you bought protection. What you actually bought is a tool — one that works against common, known threats but can’t account for the specific ways your systems are stitched together.
The TELUS breach is a perfect illustration. TELUS Digital had enterprise-grade tooling from major vendors. What they didn’t have was someone watching the specific chain of trust between Salesloft’s Drift integration and their own GCP credentials. That chain was unique to their environment — and no off-the-shelf product was designed to monitor it.
What This Means for Small Businesses
If you’re running a small business, you might be thinking: “We’re not TELUS. Nobody’s going to target us with a $65 million ransom demand.”
That’s true. But consider this:
The same tools that breached TELUS are available to anyone. Trufflehog is open-source. Credential scanning is automated. Attackers don’t need to specifically target you — they cast wide nets and see what they catch.
Small businesses are disproportionately affected by breaches. According to IBM’s Cost of a Data Breach Report, the average cost of a data breach for organizations with fewer than 500 employees is still over $3 million. For many small businesses, that’s existential.
You probably use third-party tools too. If your accounting software, CRM, email marketing platform, or cloud storage is compromised, your credentials could end up in someone else’s stolen dataset — just like TELUS’s did.
The difference is that TELUS Digital has the resources to engage “leading cyber forensics experts,” work with law enforcement, and keep all business operations running while they investigate. Most small businesses don’t. And the big vendor you’re paying? They’re not going to step in and manage your crisis for you — that wasn’t part of the package.
Why the Personal Approach Wins
The alternative to account #4,782 is working with someone who actually knows your business — someone who has the time, the incentive, and the context to understand how your specific systems connect.
That means:
- Auditing your actual integrations — not checking a compliance box, but tracing which third-party tools have access to what, and what happens if one of them gets breached.
- Credential hygiene tailored to your setup — rotating keys, scoping permissions narrowly, monitoring for abnormal access patterns in your specific cloud environment.
- Incident response planning that fits your team — not a 200-page enterprise playbook, but a clear, practical plan that your actual people can actually execute.
- Ongoing attention, not a one-time sale — security isn’t a product you buy once. It’s a relationship between the people who build your systems and the people who protect them.
The TELUS breach didn’t happen because they lacked security tools. It happened because the connections between their tools, vendors, and data stores created a path that nobody was watching closely enough.
For small businesses, those paths are often even less visible — which is exactly why a personal, hands-on approach to security matters more, not less.
The Bottom Line
A big logo on your security invoice isn’t a security strategy. Off-the-shelf products protect against known, common threats — but the TELUS Digital breach shows that real-world attacks exploit the specific ways your systems are connected, the unique seams in your particular setup.
If your security strategy is “we signed with a big vendor and they handle it,” ask yourself: does anyone at that company actually know how your business works? Could they trace the path from your email marketing tool to your cloud storage to your client database? Or did they just install the same product they install for everyone?
Your business is unique. Your security should be too.
At Just Right Systems, we help Calgary small businesses build security strategies that actually fit — not bloated enterprise frameworks, not flimsy consumer tools, but solutions that are just right for how your business actually works. Get in touch to start a conversation about your security posture.
Further Reading
- TELUS Digital confirms breach after hacker claims 1 petabyte data theft — BleepingComputer
- TELUS Digital confirms hack as ShinyHunters claims credit for massive data theft — Cybersecurity Dive
- TELUS Digital hit with massive data breach — CSO Online
- Outsourcer TELUS admits to attack — may have lost a petabyte of data to ShinyHunters — The Register
- Hackers reportedly stole nearly 1,000TB of data from TELUS Digital — MobileSyrup
- TELUS probes cybersecurity incident that ShinyHunters group claims responsibility for — CBC News
- TELUS Digital data breach confirmed: ShinyHunters claims 1PB theft — Bitdefender
- TELUS investigating hack of its digital services arm — The Globe and Mail
- ShinyHunters Claims 1 Petabyte Data Breach at TELUS Digital — Hackread
- TELUS Cybersecurity Breach Could Be A Game Changer — Yahoo Finance