Lead Story | Critical | Enterprise · Cloud & DevOps |
|
TELUS Digital Confirms Massive Breach — ShinyHunters Claims 1 Petabyte Stolen
Customer call records, source code, FBI background checks, and financial data exfiltrated from one of Canada’s largest BPO providers. The $65 million ransom demand was rejected.
TELUS Digital, the digital services and BPO arm of Canadian telecommunications giant TELUS, confirmed on March 12 that it suffered a significant cybersecurity incident. The ShinyHunters cybercrime group claimed responsibility, alleging they exfiltrated between 700 TB and 1 petabyte of data during a months-long intrusion.
The stolen data reportedly includes customer support tickets, call recordings, agent performance ratings, source code, financial records, FBI background checks on employees, and Salesforce data spanning multiple BPO clients. ShinyHunters claimed initial access came via Google Cloud Platform credentials obtained in the earlier Salesloft Drift compromise, then pivoted through internal systems using the trufflehog credential-scanning tool to escalate access. TELUS Digital rejected a $65 million ransom demand.
TELUS stated that business operations remain fully operational with no disruption to customer connectivity or services. The company has engaged forensics experts and is cooperating with law enforcement. For any organisation that uses TELUS Digital as a BPO provider, the immediate question is whether your data is in that trove — and whether your incident response plan accounts for third-party breaches of this scale.
→ Key Takeaway If TELUS Digital handles any of your customer operations, contact them now and request a formal scope assessment of your exposure. Review what data your organisation shared with or stored in TELUS Digital systems. Update your breach notification timeline accordingly — downstream obligations under PIPEDA may already be triggered. |
Quick Hits
| 01 |
North Korean Konni Group Weaponises KakaoTalk to Spread Malware
South Korean threat intelligence firm Genians documented a Konni APT campaign that begins with spear-phishing emails disguised as North Korean human rights lecture invitations. Once a victim is compromised, the attackers hijack their KakaoTalk desktop application and use it to send malicious ZIP files to the victim’s contacts — deploying EndRAT, RftRAT, and RemcosRAT through AutoIt-based scripts. The technique turns trusted contacts into unwitting distribution channels. Konni shares infrastructure with Kimsuky and APT37. The Hacker News →
| High | Enterprise · End Users |
|
| 02 |
IoT Malware Turns Routers and Network Devices Into DDoS Nodes and Crypto Miners
Two previously unknown malware strains are targeting routers, IoT devices, and enterprise network equipment, conscripting them into botnets for large-scale DDoS attacks and cryptocurrency mining. The campaigns exploit default credentials and known firmware vulnerabilities in devices from multiple vendors. If your organisation runs IoT devices or network equipment with default passwords or outdated firmware, this is your reminder: inventory them, patch them, or segment them. CyberSecurity News →
| High | Cloud & DevOps · Enterprise · End Users |
|
CVE Watch
|
Patch of the Day
Zimbra Collaboration Suite — Stored XSS via CSS @import
CISA added CVE-2025-66376 to the KEV catalog on March 18 after confirming active exploitation. The vulnerability is a stored cross-site scripting flaw in Zimbra Collaboration Suite (ZCS) 10 before 10.0.18 and 10.1 before 10.1.13, exploitable via CSS @import directives embedded in HTML email messages. An attacker sends a crafted email; when the recipient opens it in the Zimbra web client, arbitrary JavaScript executes in their browser session — enabling session hijacking, credential theft, or full account takeover. No user interaction beyond opening the email is required. Patch immediately.
| Vendor: Synacor (Zimbra) · Patched: ZCS 10.0.18 / 10.1.13 · CISA KEV: Mar 18 · Exploited: Confirmed |
|
Compliance Tip of the Day
|
(ISC)² CISSP Domain 1 — Security and Risk Management
Your Vendor’s Breach Is Your Breach
The TELUS Digital breach started with credentials stolen from a third party (Salesloft Drift), then pivoted into TELUS systems via Google Cloud Platform. CISSP Domain 1 covers supply chain risk management — the principle that your security posture is only as strong as the weakest link in your vendor chain. It’s not enough to audit your own controls if your BPO provider’s cloud credentials are sitting in someone else’s breach data. Action: Review your third-party risk assessment programme. Verify that critical vendors have documented credential rotation policies, MFA on cloud administrative accounts, and breach notification obligations in their contracts. If your vendor agreement doesn’t include a right-to-audit clause, negotiate one at the next renewal.
|
|
HARDENED | This newsletter does not constitute professional security advice. Security configurations and threat landscapes vary by organisation. Consult a qualified security professional for implementation guidance specific to your environment. How we work: HARDENED uses AI agents for research, drafting, and automation. Every issue is reviewed by humans before publication. If you spot an error, reply directly — we correct the record promptly. Editor’s Source Note: TELUS Digital breach confirmed via BleepingComputer, TechRadar, Hackread, CSO Online, and The Globe and Mail (March 12–15, 2026). The 1 PB data volume is ShinyHunters’ claim; TELUS Digital has not confirmed the exact volume. $65M ransom figure sourced from BleepingComputer and Hackread. Zimbra CVE-2025-66376 details from CISA KEV alert March 18, BleepingComputer, and Windows News. CVSS 7.2 per NVD. Konni/KakaoTalk campaign sourced from The Hacker News, Genians (original research), GBHackers, Korea Times, and SC Media. IoT botnet campaigns from CyberSecurity News (March 18, 2026). |
|
