Philippine BPO Companies at Risk as Scam Hubs from Southeast Asia Migrate to the Philippines
Transnational criminal syndicates are relocating scam hubs to the Philippines, often disguised as legitimate business process outsourcing firms. A major data breach at Telus Digital underscores the significant supply-chain risks and the potential for large-scale identity theft.
Business Process Outsourcing (BPO) companies in the Philippines are at risk for security threats posed by transnational criminal syndicates moving their operations to the Philippines. Specifically, scam hubs based originally in Cambodia and other Southeast Asian countries have been relocating to other parts of the globe, including the Philippines, to evade law enforcement. In the Philippines, these scam hubs may put on the guise of legitimate business operations, commonly a BPO, to avoid government scrutiny.
PSA notes that the relocation of these scam hubs in the country puts Philippine private companies at risk for cyber attacks, particularly BPO companies. Globally, BPO companies already have an elevated cybersecurity risk profile as they manage customers, service workflows, and data processing for multiple multinational corporations, making them a valuable consolidated access point. A data breach within a BPO does not just affect the BPO itself but also its clients.
Case Study: Telus Digital Data Breach
The recent cybersecurity incident at Telus Digital serves as a prominent illustration of a BPO's extensive role and importance within the data supply chain.
In March 2026, Canadian BPO firm Telus Digital confirmed a cybersecurity incident involving the “unauthorized access to a limited number” of their systems. The threat actor group, ShinyHunters, claimed responsibility for the attack, claiming to have stolen 1 petabyte of data “in a multi-month breach.”
This incident highlights critical supply-chain risks within the BPO sector. Because Telus Digital manages customer experience workflows, digital IT solutions, and AI-powered support for a global client base, a single breach exposed the data of multiple external organizations. Threat actors can exfiltrate customer data such as Personally Identifiable Information (PII), financial records, voice logs, and corporate credentials. This stolen data can be used to commit identity theft, bypass biometric security using AI voice deepfakes, and launch Business Email Compromise (BEC) attacks. Furthermore, threat actors can weaponize this data to impersonate BPO clients. Similar to a previous reporting on major e-commerce phishing scams, threat actors exploit these trusted brand identities to launch convincing campaigns directly against end consumers.
Reports indicate that at least 28 well-known companies were impacted by the breach, although the specific names of these organizations have not been disclosed.
The breach is particularly relevant locally, as Telus Digital maintains an active BPO presence in the Philippines, employing employees across Metro Manila and Iloilo.
Philippine Government Operations Against Scam Hubs
Philippine law enforcement continues to crack down on increasingly fragmented scam hubs, as documented in various reports. These sustained efforts aim to dismantle not just these hubs but also online gambling sites. These initiatives are primarily aimed at safeguarding the Philippines from being reinstated in the Financial Action Task Force (FATF) grey list, which the country exited in February 2025.
Ask an Analyst
Do you have a question regarding this report that you would like to ask our team of security and risk analysts? Ask here.
Query Sent
Thank you. Our intelligence team will respond to your query shortly.