John Z Black
Brunswick, ME • (207) 245-1010 • contact@johnzblack.com
Telus Digital Got Breached and Nobody’s Talking About What They Actually Handle
A hacker claimed one petabyte of stolen data from Telus Digital, the outsourcing and digital services arm of Canadian telecom Telus. Telus Digital confirmed a breach occurred.
One petabyte is roughly one million gigabytes. It’s also exactly the kind of number you’d pick if you wanted to make a breach sound massive without proving anything. Treat that figure as hacker marketing, not fact.
The confirmed breach is a different matter entirely.
What Telus Digital Actually Does
Most people don’t recognize the name. That’s partly why this story isn’t getting the attention it deserves. Telus Digital handles customer service operations, AI training data programs, and digital transformation work for large enterprise clients globally. Some of that work involves managing customer interaction records. Some involves handling datasets used to train AI systems.
This isn’t a database of consumer passwords. It’s infrastructure-level work for major clients whose names you’d likely recognize. When a company processing AI training data and enterprise customer service ops gets breached, the question isn’t just “whose data was in there.” It’s “what were they doing with it, and for whom?”
The Outsourcing Risk Nobody Audits Properly
This is a recurring pattern. Organizations offload sensitive operations to third parties, often without applying equivalent security scrutiny. Vendor security review is usually a checkbox exercise: a questionnaire, an SOC 2 report, a periodic reassessment. What that process rarely captures is whether the vendor is actually operating with the rigor the questionnaire suggests.
AI training data adds a specific wrinkle. Training data shapes AI behavior. Compromised training data can potentially influence model outputs in ways that aren’t immediately visible. That’s a longer-horizon concern, but it’s worth flagging as enterprises ramp up AI development.
What Enterprise Clients Should Do
If you have outsourcing relationships with firms handling sensitive operations:
Review what data your vendors actually hold. Not what your contract says they can hold. What they actually have. The gap is often bigger than you’d expect.
Know your notification rights. Your contracts should require breach notification within a specific timeframe. Know what it is.
Go beyond SOC 2. Where are data stored? What access controls exist? What does their incident response plan look like? “We have SOC 2” is the start of a conversation, not the end.
The breach at Telus Digital may or may not be as significant as the hacker claims. But the outsourcing risk it illustrates is real regardless of the final number.