Canada’s second-largest telecom, TELUS is investigating a potential data breach after a threat actor shared samples online of what appears to be employee data. The threat actor subsequently posted screenshots that apparently show private source code repositories and payroll records held by the company.
TELUS has so far not found evidence of corporate or retail customer data being stolen and continues to monitor the potential incident.
Private source code and employee data up for sale
On February 17, a threat actor put up what they claim to be TELUS’ employee list (comprising names and email addresses) for sale on a data breach forum.
“TELUS employes [sic] from a very recent breach. We have over 76K unique emails and on top of this, we have internal information associated with each employee scraped from Telus’ API,” states the forum post.
While BleepingComputer has been unable to confirm the veracity of threat actor’s claims just yet, the small sample set posted by the seller does have valid names and email addresses corresponding to present-day TELUS employees, particularly software developers and technical staff.
By Tuesday, February 21, the same threat actor had created another forum post—this time offering to sell TELUS’ private GitHub repositories, source code, as well as the company’s payroll records.
“In the repositories are the backend, frontend, middleware [information,] AWS keys, Google auth keys, Source Code, Testing Apps, Staging/Prod/testing and more!” states the seller’s latest post.
The seller further boasts that the stolen source code contains the company’s “sim-swap-api” that will purportedly enable adversaries to carry out SIM swap attacks.
Although the threat actor has labeled this a “FULL breach” and promises to sell “everything associated with Telus,” it is too early to conclude that an incident indeed occurred at TELUS or to rule out a third-party vendor breach.
“We are investigating claims that a small amount of data related to internal TELUS source code and select TELUS team members’ information has appeared on the dark web,” a TELUS spokesperson told BleepingComputer.
“We can confirm that to this point our investigation, which we launched as soon as we were made aware of the incident, has not identified any corporate or retail customer data.”
BleepingComputer continues to monitor the development and provide you with updates on the situation.
TELUS employees and customers, in the meantime, should look out for any phishing or scam messaging targeting them and refrain from entertaining such email, text, or telephone communications.
h/t Dominic Alvieri
