Canadian business process outsourcing giant Telus Digital has confirmed it suffered a security incident after threat actors claimed to have stolen nearly 1 petabyte of data from the company in a multi-month breach. The company's public acknowledgement came days after security researchers first reported the attack, prompting questions about how long institutions wait before disclosing compromises to the public.
Telus Digital is the digital services and business process outsourcing arm of Canadian telecommunications provider Telus, providing customer support, content moderation, AI data services, and other outsourced operational services to companies worldwide. This matters to Australian businesses, many of which rely on outsourcers like Telus for customer support and data processing. Because BPO providers often handle customer support, billing, and internal authentication tools for multiple companies, they can become attractive targets for threat actors seeking access to large amounts of customer and corporate data through a single breach.
According to reports, the hackers used Google Cloud Platform credentials discovered in data stolen during the Salesloft Drift breach. This reveals a brutal cascading effect in cybersecurity: one company's weakness becomes a pathway to compromise dozens more. After downloading this data, the threat actors said they used the cybersecurity tool trufflehog to search within it for additional credentials that allowed them to pivot into other Telus systems and download further data. The breach highlights the exponential damage when initial access balloons across interconnected systems.
The threat actor shared the names of 28 well-known companies allegedly impacted by the breach. However, reporting indicates that the exact scope has not been independently verified. ShinyHunters tried extorting Telus in February, demanding $65 million in exchange for not leaking the company's data; however, Telus hasn't responded to their emails.
The human security problem
While Telus battled a supply-chain compromise, Starbucks employees learned their most sensitive personal information had been stolen through a far simpler method: classic phishing. In data breach notification letters filed with Maine's Attorney General and sent to affected employees on Tuesday, the company says that it discovered the incident on February 6, and that 889 Starbucks Partner Central accounts used to manage employment details, personal information, benefits, and HR information were compromised.
Starbucks said the threat actors had access to affected individuals' accounts between January 19 and February 11, but didn't explain why it took five days to remove them from its systems. This gap matters. Each day attackers retain access is another day they can extract data, explore systems, or establish backdoors for future intrusions.
In a subsequent letter sent to employees, Starbucks advised impacted staff that their names, Social Security numbers, and dates of birth, along with financial account numbers and routing numbers, may have been snarfed up by an unauthorised third party. These are not passwords that can be reset. They are permanent identifiers that retain value for years, enabling identity theft, fraud, and targeted attacks long after the initial breach fades from headlines.
The attack vector was ruthlessly simple. Attackers created websites impersonating the Starbucks Partner Central portal and distributed phishing messages to employees. When employees entered their credentials on these fraudulent sites, the attackers captured the information and used it to access the legitimate HR portal. No zero-days, no advanced persistence. Just human trust exploited at scale.
The AI response
Even as these breaches unfolded, Kevin Mandia, who founded the cybersecurity startup Mandiant in 2004 and sold it to Google for $5.4 billion in 2022, has launched a new AI-native cybersecurity startup with what the company claims is a record-breaking funding round, raising $189.9 million in combined seed and Series A funding led by Accel, with participation from GV, Kleiner Perkins, Menlo Ventures, 8VC, Ballistic Ventures, and the CIA's venture arm, In-Q-Tel.
Armadin plans to build autonomous AI agents that identify exploitable risks and help companies respond faster to cyber threats. Mandia said Armadin uses agentic tools to complete work in minutes that used to take days. The fundamental bet: defences that operate at machine speed, not human speed, will be required to survive attacks powered by AI.
The irony is sharp. Phishing remains devastatingly effective, yet the security industry is pouring record capital into autonomous attack simulation. Both truths hold at once: human error remains the weakest link, and defenders are racing to automate their way past the bottleneck of manual analysis. According to the World Economic Forum, 87% of organisations said AI-related vulnerabilities are increasing risk across their environments.
These breaches and investments tell an uncomfortable story. The infrastructure is broken. Credentials leak from one company and are weaponised against another. Employees click phishing links despite years of training. The response from the security industry is to build faster machines rather than solve the fundamental problem of human trust. For companies and workers caught in the middle, the only certain outcome is that 2026 will be a year of constant vigilance.