UNITED STATES — Earlier this month, TELUS’s BPO arm, TELUS Digital, confirmed a massive cybersecurity incident involving nearly 1 petabyte of data in a multi-month breach. While investigations into this case continue, Crunchyroll, a TELUS client, has recently reported a possible similar incident involving 100 GB of data from approximately 6.8 million users.
The threat actor, allegedly known as ShinyHunters, revealed they began extorting from TELUS in February and demanded $65 million in exchange for the data. However, the telecommunications giant didn’t respond.
In a conversation with the technology news website Bleeping Computer, ShinyHunters disclosed that they had found TELUS’s Google Cloud Platform credentials during the Salesloft Drift breach, in which Salesforce data for 760 companies was stolen.
The threat actor also revealed that this breach has impacted 28 other well-known companies. Much of the data extracted relates to TELUS’s BPO services, such as:
- Customer support
- Agent performance ratings
- Content moderation solutions
- Fraud detection and prevention
TELUS reacted to the incident by securing its systems against further intrusion. It also released a statement that it has implemented additional security measures for its systems.
The company reassured its clients that “all business operations within TELUS Digital remain fully operational, and there is no evidence of disruption to customer connectivity of services.” It has engaged with cyber forensics experts and law enforcement for its investigations.
Crunchyroll Reveals Impact: Possible Data Breach
Days after TELUS’s announcement, anime-streaming site, Crunchyroll, reported that it was investigating a report of a possible security breach. The company told Bleeping Computer that it’s working closely with cybersecurity experts to look into the matter.
It added that it believes the data possibly involved is “primarily limited to customer service ticket data following an incident with a third-party vendor.”
The threat actor behind this incident also contacted Bleeping Computer and revealed that it breached Crunchyroll by gaining access to a support agent’s Okta SSO account. This agent is allegedly a TELUS employee with access to the streaming site’s support ticket.
According to screenshots shared with Bleeping Computer, samples of support tickets contained a variety of information, including:
- The user’s name
- Login name
- Email address
- IP address
- General geographic location
In certain cases, the user’s credit card details were also exposed when the user shared them in the support ticket. For the most part, only basic information, such as expiration dates, the last four digits, or full card numbers, was seen.
BPO Companies Are a High-Value Target
This isn’t the first multi-month data breach in the past few years. As they handle a significant amount of data across customer support, authentication systems, and billing services for multiple clients, BPO companies remain high-value targets for threat actors.
News like this reflects how easily data can be compromised and how such incidents can exploit the BPO industry. Such incidents have become a significant operational risk for BPO providers and their clients.
Companies are urged to be vigilant and proactive in strengthening their systemic resilience. Implementing comprehensive, multi-layered security measures that combine technology, physical security, and employee training remains the most sensible strategy to combat the rising risk.
