No products in the cart.
SARA VOSS · MARCH 22, 2026 · CYBERSECURITY
TELUS Digital, 700TB Gone: ShinyHunters Are Back — and the EU Just Sanctioned Their Sponsors
ShinyHunters stole 700TB from TELUS Digital. The same week, the EU sanctioned three nation-state cyber actors. Here’s what both stories mean together.
700TB stolen from TELUS
19 EU sanctioned entities
3 nation-state orgs sanctioned
2nd major ShinyHunters breach in 2 years
19 EU sanctioned entities
3 nation-state orgs sanctioned
2nd major ShinyHunters breach in 2 years
Two separate stories broke in the same week of March 2026, and most coverage treated them in isolation. That’s a mistake. Read together, they reveal something important about the current state of global cybersecurity: the line between organized cybercrime and state-sponsored hacking is no longer a line. It’s a spectrum — and sophisticated threat actors like ShinyHunters are operating in the gray zone between the two.
Story one: ShinyHunters — the same group responsible for the 2024 Snowflake breach wave that hit AT&T, Ticketmaster, and dozens of others — has stolen 700 terabytes of data from TELUS Digital, the BPO arm of Canada’s largest telecom. Story two: the European Union sanctioned two Chinese companies, one Iranian company, and two individuals for operating “the private cyber offensive ecosystem” that enables exactly these kinds of attacks. The connection isn’t coincidental.
📋 WHAT IS TELUS DIGITAL?
TELUS Digital is the business process outsourcing (BPO) and IT services subsidiary of TELUS — Canada’s second-largest telecommunications company. The key distinction: TELUS Digital handles customer experience, content moderation, and data services for major global enterprises. A breach of TELUS Digital doesn’t just expose TELUS customer data — it exposes the data of every enterprise client TELUS Digital serves.
1. TELUS Digital: 700TB and a New Kind of Heist
ShinyHunters told Reuters it stole 700 terabytes of data from TELUS Digital. To understand the scale: Netflix’s entire streaming catalog is approximately 3.14 petabytes. The ShinyHunters TELUS exfiltration represents roughly 22% of that — from a single company, in a single attack. And unlike Netflix’s petabytes of video files, this 700TB contains structured business data, customer records, operational information, and potentially sensitive credentials for TELUS Digital’s enterprise clients.
TELUS confirmed the hack on March 16, 2026. The attack vector was not traditional ransomware — it was credential theft leading to cloud infrastructure access. As CSO Online described it: “Not a smash-and-grab but strategic, disciplined, optimized for maximum leverage.” The absence of ransomware is significant: it means no encrypted files, no ransom demand announced with a deadline. Instead, ShinyHunters quietly exfiltrated 700TB over what is believed to be an extended access window.
⚠️ WHY THIS BREACH IS DIFFERENT
Traditional ransomware: Break in, encrypt files, demand payment, get detected immediately.
ShinyHunters method: Steal valid credentials → access cloud infrastructure → maintain persistent access → exfiltrate quietly over weeks/months → leverage stolen data strategically.
The TELUS Digital breach represents the maturation of cloud-era attacks: not about disruption, but about intelligence gathering and durable leverage. CISA and Canadian cybersecurity authorities were both monitoring the situation as of March 23 — but the data was already gone.
The most alarming aspect isn’t the 700TB headline number — it’s the downstream exposure. TELUS Digital’s BPO clients include major global enterprises across industries from financial services to healthcare to retail. When a BPO vendor is breached, the actual victims are the enterprise clients whose data they process. TELUS Digital may have the public exposure, but every enterprise client is now assessing what data they trusted to TELUS’s infrastructure.
2. ShinyHunters: Criminal Group or State Tool?
ShinyHunters first appeared in 2020, initially operating as a straightforward data theft group — stealing databases and selling them on dark web forums. By 2024, they had evolved into something significantly more sophisticated: the Snowflake breach campaign, which compromised cloud infrastructure at organizations including AT&T, Ticketmaster, Santander Bank, and dozens of others, demonstrated operational discipline, patience, and targeting sophistication that goes far beyond opportunistic cybercrime.
ShinyHunters: Major Attacks 2024–2026
| Date | Target | Method | Scale |
|---|---|---|---|
| Mid-2024 | Snowflake (AT&T, Ticketmaster, Santander + others) | Stolen credentials → cloud platform access | 165+ Snowflake customers potentially affected |
| Late-2024 | AT&T (confirmed ShinyHunters attribution) | Snowflake-linked credential theft | ~110M customer records exfiltrated |
| 2025 | Multiple cloud BPO vendors (undisclosed) | Third-party vendor credential theft | Ongoing, multiple incidents |
| Mar 12–16, 2026 | TELUS Digital (Canadian BPO giant) | Cloud credential theft → infrastructure access | 700TB exfiltrated; CISA + Canada monitoring |
The pattern across these attacks is consistent: stolen credentials, cloud infrastructure access, extended dwell time, massive exfiltration. No ransomware. No obvious “tell” until the damage is done. This operational profile — patient, sophisticated, cloud-native — doesn’t fit the profile of purely financially motivated cybercriminals. It fits the profile of a group with intelligence-gathering objectives and potentially state-affiliated direction.
The EU’s March 16 sanctions announcement — which specifically targeted “the private cyber offensive ecosystem equipping malicious actors targeting France” and included Chinese and Iranian entities — makes this connection explicit in geopolitical language. Nation-states are not just conducting their own hacking operations. They’re funding, enabling, and directing private groups to conduct operations that provide plausible deniability.
3. EU Cyber Sanctions: The Highest Level Yet
On March 16, 2026 — the same day TELUS confirmed its breach — the EU Council adopted restrictive measures (sanctions) against two China-based companies, one Iranian company, and two individuals. The EU’s horizontal cyber sanctions regime now covers a total of 19 individuals and 7 entities. This is the largest single-day expansion of that framework since its creation.
🇧🇺 EU SANCTIONS SCOPE
19
Total individuals sanctioned under horizontal cyber regime
ENTITIES SANCTIONED
7
Organizations under EU cyber sanctions regime (post-March 16)
NEW ADDITIONS (MARCH 16)
31
New entries across Russia, Iran, and cyber lists in Global Sanctions database
NATIONS TARGETED
3
China (2 companies), Iran (1 company) in March 16 action
The French government’s statement was unusually direct: the sanctions targeted “the private cyber offensive ecosystem equipping malicious actors targeting France.” This language acknowledges something that Western governments have been reluctant to state plainly: nation-states are not just hacking directly. They are building, funding, and operating a private infrastructure of cyber offense — contractors, tool developers, credential brokers, and data exfiltrators — that provides deniability while achieving state intelligence objectives.
Simultaneously, the EU published a new Cybersecurity Package proposing revisions to both the EU Cybersecurity Act and the NIS Directive. The timing is not coincidental — the regulatory response is being drafted in parallel with the sanctions enforcement action. This is a coordinated escalation, not an isolated reaction.
4. The Vendor Tier Is the New Battlefield
The most important pattern in major cyberattacks of 2025 and 2026 isn’t the enterprises being targeted. It’s the vendors who serve those enterprises. The attack surface has shifted: rather than attacking a bank, a hospital, or a retailer directly — which are typically hardened targets with mature security postures — sophisticated threat actors are targeting the BPO providers, SaaS platforms, and cloud infrastructure services that those enterprises depend on.
🎯 THE VENDOR-TIER ATTACK PATTERN: 2024–2026
Snowflake (2024)
Cloud data platform → 165+ customers exposed (AT&T, Ticketmaster)
TELUS Digital (2026)
BPO/IT services vendor → all BPO enterprise clients exposed
Global-e / Ledger (2025)
E-commerce services vendor → Ledger customer data exposed
WorldLeaks / Nike (2026)
Third-party data handler → Nike source data exposed
The pattern is clear: attackers have realized that enterprise cybersecurity investments are concentrated at the enterprise level. The vendor tier — BPOs, SaaS platforms, cloud infrastructure providers, content moderation services — operates at scale but with security postures that often lag the enterprises they serve. One credential theft at a vendor provides access to dozens or hundreds of enterprise clients simultaneously.
This has a direct implication for enterprise security strategy: your security posture is no longer determined solely by your own defenses. It’s determined by the weakest link in your vendor ecosystem. The question every CISO needs to answer is: what access have you granted to vendors, and what is their security posture?
5. What Cloud-First Companies Must Audit Now
The TELUS Digital breach and EU sanctions together provide a clear signal: the threat environment for cloud-first enterprises has escalated. The combination of sophisticated credential theft techniques, state-sponsored enablement infrastructure, and vendor-tier targeting means that organizations need to audit their posture across several dimensions immediately.
✅ IMMEDIATE AUDIT CHECKLIST — CLOUD-FIRST ENTERPRISE
1. Vendor credential inventory: Audit all active credentials granted to third-party vendors. Revoke any that are broader than minimum necessary access. Flag vendors with cloud infrastructure access.
2. MFA enforcement across vendor access: Ensure all vendor access to your cloud infrastructure requires phishing-resistant MFA (hardware keys or passkeys). Stolen credentials are useless without the second factor.
3. Cloud egress monitoring: Implement anomaly detection on data egress from cloud environments. 700TB exfiltrations don’t happen in an hour — they happen over weeks of unmonitored access.
4. BPO/vendor security questionnaires: Require annual (or more frequent) security posture assessments from any vendor with access to customer data. TELUS Digital’s enterprise clients may not have had visibility into TELUS’s own cloud security posture.
5. Supply chain security clauses: Ensure vendor contracts include breach notification requirements with specific timeframes (24-72 hours), indemnification clauses, and security standard requirements (SOC 2 Type II minimum).
6. Geopolitical threat mapping: Cross-reference your vendor list against EU and OFAC sanction lists. The March 16 EU sanctions covered specific entities — ensure none are in your supply chain.
The combined thesis of both stories this week is this: ShinyHunters is not operating in a vacuum. The EU sanctions on the “private cyber offensive ecosystem” confirm that organized cybercrime groups are being enabled by nation-state infrastructure — tooling, funding, and intelligence targeting. TELUS Digital lost 700TB to a group that has the operational sophistication of a state actor and the legal deniability of a criminal enterprise.
For enterprise security teams, this means treating sophisticated cybercrime groups with the same threat modeling rigor you would apply to nation-state actors. The threat model has converged. The defenses need to converge as well.
🔒 THE TAKEAWAY
The distinction between “cybercrime” and “state-sponsored hacking” is no longer operationally meaningful.
The EU just sanctioned the infrastructure that makes groups like ShinyHunters possible. TELUS Digital lost 700TB to that same ecosystem. Your vendor tier is the attack surface you haven’t hardened yet.
Related Reading
🏥 Stryker Cyberattack: Pro-Iran Hackers and the Medical Supply Chain
⚠️ Ledger, Nike Data Breach 2026: The Cybersecurity Warning
🌐 State-Sponsored Hacking 2026: Lotus Blossom, China, Russia