I just finished writing about INC Ransom spending eighteen months torching Australian healthcare organizations and I genuinely thought that was going to be my Friday. Then TELUS Digital dropped, and now I’m on my fourth coffee staring at the word “petabyte” like it’s going to apologize and go away. It is not going to apologize. And it is not going away.

TELUS Digital. If the name doesn’t immediately land for you, that’s the problem. This isn’t a small software shop or a regional clinic. According to BleepingComputer’s reporting, TELUS Digital is a massive Business Process Outsourcing (BPO) and technology services company. Their clients span e-commerce, banking, travel, healthcare, and automotive. They handle customer support, data annotation, content moderation, trust and safety operations, and AI training services for some of the biggest names in every one of those sectors. They are a company whose entire value proposition is: “Give us your sensitive operations, your customer data, your internal workflows, your voice recordings, and your source code. We’ll manage it for you.”

The ShinyHunterz ransomware group — yes, that ShinyHunterz, the group linked to multiple high-profile data theft operations — confirmed on March 11, 2026 that they’d walked out with one petabyte of TELUS Digital’s data. One. Petabyte. That is not a typo. That is 1,000 terabytes. Per BleepingComputer’s coverage, the stolen data includes BPO customer data, source codes, FBI background checks, financial information, voice recordings, and Salesforce data belonging to multiple third-party companies.

Let that sink in before we go anywhere else. FBI background checks. Voice recordings. Source code. Salesforce data for multiple external companies who trusted TELUS Digital with their operations.

What Happened — The BPO Trust Collapse in Slow Motion

The BPO model is, when you think about it, a security architect’s nightmare given human form and put in charge of your most sensitive data. The entire arrangement asks you to hand your operational crown jewels to a third party that you do not fully control, that employs tens of thousands of people you have never screened, that runs its own IT infrastructure on its own terms, and that aggregates your data alongside every other client’s data in shared systems and pipelines.

Per BleepingComputer’s reporting, TELUS Digital confirmed the breach on March 11, 2026, stating it had activated incident response procedures. What the company had not yet confirmed — and what the ShinyHunterz threat actors claim — is the full scope of what was taken. One petabyte of data across a BPO operation serving banking, healthcare, travel, and e-commerce clients is not a single neat dataset. It is potentially years of customer support transcripts, customer PII from dozens of client companies, proprietary source code for products that those clients’ customers use every day, and financial records that have no business being anywhere near an exfiltrated archive.

The FBI background checks are the detail that genuinely made me put my coffee down. TELUS Digital conducts background screening for hiring processes — their clients require it for employees in regulated roles. When you steal a petabyte of BPO data from a company with clients across banking and healthcare, you potentially steal the background check results for thousands of individual employees at those client companies. Those records contain criminal history searches, identity verification data, employment history verification, and in many cases, sensitive personal disclosures. That data does not age out. You cannot rotate it like a password. The people in those records have no way to know their background check results are now in ShinyHunterz’s possession.

Why BPO Companies Are the Perfect Attack Surface

I’ve written about this pattern before in the context of the Cognizant TriZetto breach that dumped 3.4 million patient records: attack the platform that holds everyone else’s data and you hit every downstream client simultaneously. BPO companies are that platform at industrial scale.

Think about the economics from an attacker’s perspective. TELUS Digital has, according to their published information, somewhere north of 70,000 employees and clients across multiple regulated industries globally. One successful intrusion into TELUS Digital’s environment does not yield one company’s data. It yields the data of every client that gave TELUS Digital access to their systems, customer records, and operational tooling. The leverage multiple is enormous. And from a victim notification and regulatory response perspective, the breach is catastrophically complex: TELUS Digital now has to determine which clients’ data was affected, notify potentially dozens of separate companies across different regulatory jurisdictions, and manage the downstream fallout as each of those companies figures out what TELUS Digital held on their behalf and for how long.

The voice recordings deserve their own paragraph. BPO companies frequently handle customer service calls. Those call recordings contain: customer names, account numbers, the last four digits of payment cards read aloud for verification, answers to security questions spoken clearly for authentication, details of fraud disputes and account issues, health insurance queries, and in many cases, emotionally raw conversations about financial hardship, medical situations, and personal crises. A petabyte of BPO data from a company with healthcare and banking clients very likely contains millions of call recordings of exactly this type. You cannot un-speak a security question answer. You cannot recall a call recording once an attacker has it.

As I’ve documented in my research on dark web extortion economics and how criminal markets leverage stolen data across extended timeframes, the monetization of stolen BPO data is not limited to a single ransom event. The data gets parceled out, sold in criminal marketplaces, used for targeted social engineering, and recycled in credential stuffing campaigns years after the initial breach. The companies whose data was held by TELUS Digital are going to be dealing with downstream consequences of this breach for a very long time.

What Went Wrong — Third-Party Risk Management Is Still a Fiction

Here is the structural failure underneath the TELUS Digital breach. Most companies that outsource operations to BPO providers do something like this for vendor risk management: they send a questionnaire. They get back answers that say the vendor has ISO 27001, SOC 2 Type II, and a Security Policy. They file the questionnaire. They never validate. They never conduct independent technical assessments of the vendor’s actual security posture. And they never think carefully about what happens to their data if the vendor is breached.

This is not a criticism unique to TELUS Digital’s clients. It is the industry-wide norm. Third-party risk management in the majority of organizations is paperwork, not security. You are asking the vendor whether they are secure and accepting their answer as evidence that they are secure. That is not evidence. That is a vendor-authored document designed to tell you what you want to hear so the contract gets signed.

The BPO sector specifically has a set of security challenges that go beyond standard enterprise environments. Extremely high employee turnover means constant churn in privileged access accounts that need provisioning and deprovisioning. Client data is frequently co-mingled in shared infrastructure because fully isolated per-client environments are prohibitively expensive at BPO scale. The nature of the work — customer service representatives accessing live customer records — makes it structurally difficult to implement least-privilege access without breaking operational workflows. And the need to provide client companies with access to their own data and reporting dashboards creates a web of privileged connections between BPO infrastructure and client environments.

The Fixer’s Advice — Third-Party Risk That Actually Works

This is not theoretical. Here is what you do, in priority order, if any portion of your company’s operations, data, or systems touches a BPO provider.

1. Conduct an emergency data inventory for every BPO relationship you have. Right now. This week. What data does your BPO vendor hold on your behalf? Specifically: customer PII (what categories, how much, from which time period), source code or proprietary technical assets, call or interaction recordings, financial transaction data, employee records, and credentials or API keys that give the vendor access to your own systems. You need to know this with precision because you cannot respond to a breach you don’t understand. Most companies cannot answer this question accurately because they’ve never asked it.

2. Demand proof of technical controls, not compliance certifications. ISO 27001 and SOC 2 certifications tell you a vendor has documented their security processes and that an auditor reviewed those documents. They do not tell you whether the vendor can withstand a motivated ShinyHunterz-style intrusion. The questions you should be asking: What is your data segmentation architecture between client environments? How do you detect and respond to large-scale data exfiltration attempts? What is your backup architecture and recovery time objective? When was the last time you ran a penetration test against your customer data environments, and can we see the scope and results? If the vendor won’t answer these questions with technical specificity, that is your answer.

3. Implement contractual breach notification timelines with financial teeth. Your BPO vendor contract should specify the maximum time from breach discovery to client notification (72 hours is a reasonable standard, consistent with GDPR requirements), what information must be included in that notification, what forensic access you are entitled to in the event of a breach, and what financial penalties apply for notification failures. If your current contracts don’t have these terms, you need them in the next renewal cycle. “We’ll let you know when we can” is not a breach notification clause. It is a vendor telling you they intend to manage their PR before they manage your data.

4. Minimize data sent to BPO environments wherever possible. This sounds obvious but it isn’t consistently practiced. Evaluate every data flow you have into BPO-managed systems: Does the customer service representative actually need the customer’s full address, or just enough to verify identity? Does the data annotation workflow require access to raw source code, or can it be abstracted? Does the background screening process need to transmit the complete candidate PII to the BPO, or only enough to run the specific check requested? Data minimization at the point of transfer is the single most effective control against the downstream consequences of a breach.

5. Deploy client-side monitoring for BPO-originated access. If your BPO vendor has authenticated access to your systems or data repositories, those access sessions should be logged and monitored from your side, not just the vendor’s. You should have visibility into what TELUS Digital’s — or any BPO provider’s — authenticated sessions are doing in your environment: what data they’re querying, what volumes they’re accessing, and whether access patterns match the operational scope they were authorized for. An anomaly detection alert on a BPO service account that suddenly starts pulling data volumes ten times higher than normal is exactly the kind of signal that catches an attacker operating through a compromised BPO environment.

6. Have a vendor breach playbook ready before you need it. The moment a BPO vendor discloses a breach, you need to execute a defined response procedure, not improvise one while lawyers argue about notification obligations. That playbook should include: immediate steps to revoke or monitor BPO vendor access to your systems, the process for determining what client data was held by the vendor and in what form, regulatory notification obligations under GDPR, HIPAA, state breach notification laws, or other applicable regulations, and the communications plan for affected customers.

The TELUS Digital breach is not an anomaly. It is the predictable outcome of an industry that treats BPO data handling as a procurement decision rather than a security decision. Every company that has handed operational data to a third-party processor has exposure to this scenario. The time to map that exposure and close the gaps is before the ShinyHunterz leak post goes live, not after.