It works because people trust their IT teams and their authenticated sessions. An employee gets a call, hears a familiar script about a security issue, or a cloud engineer’s credentials are harvested from an unsecured support ticket. The attacker is now inside, authenticated, with a session that looks completely normal to every monitoring tool watching the network. From there, they move slowly. They use internal tools like Trufflehog to look for secrets hidden in source code. They escalate privileges where they can find a path. They start identifying where the valuable data lives — the BigQuery instances, the Salesforce databases, the voice recordings of support calls.
The perimeter security argument has been losing credibility for years. This is the incident that should put it to rest. If an attacker has valid credentials, the firewall already lost. The question is whether anything inside your network is watching for the thing that comes next.
Most organizations do not have a clear picture of how many external parties have access to their environment, what level of access those parties have, or how closely their security practices are monitored. Attackers know this. In the current 2026 fallout, claims include exposed data from banks, tech firms, and even government agencies, all because they shared a common service provider.
Incident response plans need to catch up. Most of them were written with ransomware in mind. As security professionals have stressed after this breach, many incident response plans still assume encryption equals impact and build playbooks for silent data exfiltration. What you need is a process for answering: what data was accessed, by which account, over what time period, and who needs to be told.
The pattern is not new. Scattered Spider’s 2025 attack on Qantas, for instance, came through an external call centre platform that had been compromised with a near identical supply chain entry point. The Telus breach is the 2026 iteration of a playbook that has been running, successfully, for years.
This wasn’t a smash-and-grab. It was a slow bleed
The Telus Digital breach confirms a new era of corporate espionage which is quiet, credential driven, and almost impossible to catch in real time.
ShinyHunters, the extortion group claiming responsibility, says it walked away with close to a petabyte of data from Telus Digital and its business clients. Telus Digital runs outsourced customer support for organizations around the world, which means the data exposure does not stop at Telus. It runs downstream to every company that trusted them with customer records. Telus has confirmed it is investigating unauthorized access, brought in forensics firms, and looped in law enforcement. Operations stayed up. No customers noticed anything was wrong.
“They are not breaking in. They are logging in.”
By Randy Ferguson
The Key Was Already Under the Mat
ShinyHunters has been tied to voice phishing campaigns where attackers call employees directly, pretend to be IT staff, and talk them into entering credentials on fake login pages. In the 2026 Telus incident, they allegedly bypassed the front door entirely by finding valid credentials in a separate leak, specifically, the Salesloft Drift breach. No exploit. No malware. Just a legitimate login that the system was designed to trust.
For a long time, the dominant breach story went like this: attacker gets in, drops ransomware, files get encrypted, business grinds to a halt, ransom demand arrives. It was a disaster, but at least you knew it happened. You had a smoking gun. You had a clear point of failure.
That model is losing ground to something harder to catch. Groups like ShinyHunters are not interested in locking your files. They want your data. They take it slowly, carefully, and without triggering anything. Then they surface months later with proof of what they have and a demand for silence money. In the case of Telus, the group claimed to have been inside since August of last year, only making their presence known after the data was safely staged on their own servers.
Third-Party Access Is Where Most Organizations Are Blind
MFA is still the highest return investment most organizations have not fully made. It does not stop every attack as session token theft becomes more common, but it kills the straightforward credential theft model cold. An attacker who vished someone’s password still needs that second factor. Security researchers recommend phishing-resistant MFA across both internal users and third-party service accounts, and eliminating voice and text-based MFA entirely. Rolling it out completely, including for third-party access and admin accounts where resistance tends to be highest, matters more than the technology itself.
Network segmentation stops breaches from scaling. Flat networks, as security advisors noted in the wake of this breach, enable big breaches and once attackers move laterally, scale becomes their advantage. Isolating high-value data behind additional access controls, building zero-trust principles into how internal systems communicate, and treating lateral movement as something to prevent rather than just detect can dramatically shrink the damage from any single compromise.
Canada does not usually sit at the center of global cybercrime headlines, but incidents involving major Canadian companies increasingly show how modern breaches actually unfold.
BPO providers, managed service providers, and cloud platform vendors are attractive targets not because they are soft, but because breaching one of them opens a door to dozens of clients at once. You can spend heavily on your own security posture and still end up exposed through a vendor, contractor, or service provider who was doing the exact same work last year without incident. The attacker does not have to target you directly. They just have to find the company you trust with access to your systems.
What Actually Needs to Change
Nobody received a ransom note. No files were encrypted. No systems went dark. The Telus Digital breach, confirmed this week in March 2026, was quieter than that, and that is exactly what made it so effective.
Telus Digital is a business process outsourcing provider. That means their clients handed them legitimate access to customer data to do their jobs. It is a normal commercial arrangement. It is also a single point of failure for every organization in their client list. This is the supply chain problem in its plainest form.
None of this looks like an attack. As Fritz Jean-Louis of Info-Tech Research Group put it, “attackers no longer need to ‘break in’ if they can blend in.” The hallmarks of this breach — multi-month dwell time, massive data volumes, delayed detection suggest the abuse of legitimate access rather than overt technical exploitation. Weeks pass. Sometimes months. The data gets staged in small batches, exfiltrated in traffic that looks like normal encrypted communication. Then one day a message arrives and you find out someone has been living in your network since spring.
The math is better for them. Encrypted files can sometimes be recovered from backups. Stolen data cannot be taken back. Once it is out, the leverage is permanent. They can sell it, sit on it, or threaten to publish it indefinitely. Ransomware gives you one shot at payment. Stolen data gives you many. Scattered Spider runs a similar playbook. So do several other groups who have gotten a lot more patient and a lot more selective about what they take. They are not smashing windows. They are making keys.
Data monitoring is harder but more important. Your security stack is probably good at detecting known bad things: malware signatures, known bad IPs, login attempts from unusual geographies. According to experts, defenders need to look for subtle anomalies over weeks, not just spikes over minutes — asking why a service account that normally touches 200 records a day suddenly accessed 40,000 last Tuesday. That question does not get asked by default. You have to build the rules, establish the baselines by role and account, and set thresholds that will actually fire before someone has staged a full petabyte.
That last part is not reassuring. It is the whole problem.
