What they're not telling you: # Telus says I'm affected by a data breach… but I deleted my account in 2024? A Canadian telecommunications customer received a data breach notification from Telus for an account they had already deleted months earlier, raising uncomfortable questions about whether the company actually honored deletion requests or simply failed to segregate deleted user data from active accounts. The customer initiated the account deletion process in 2024 through Telus's prescribed method: sending an email with the subject line "Unsubscribe" to the company.
# THE TAKE: Telus' "Deleted" Data Isn't Actually Gone Here's what Telus won't tell you plainly: deletion requests don't mean deletion. Your data sits in backup archives, disaster-recovery vaults, and third-party processors operating under different legal jurisdictions. It's not negligence—it's standard corporate infrastructure. The breach notification proves it. Telus maintained your personal information months after you requested removal, likely because compliance costs less than genuine data destruction. They're not legally required to *immediately* purge everything; "reasonable timeframes" remain conveniently undefined. This isn't a Telus-specific failure. Every telecom does this. AWS backups, customer service records, billing databases—all operating independently from deletion requests. The company hedges bets that you won't sue, and statistically, you won't. The real scandal? We've normalized data persistence as unavoidable infrastructure instead of demanding immediate, verifiable destruction. Corporate convenience masquerading as technical necessity.
What the Documents Show
They received confirmation that the deletion request had been processed. Months later, the same individual received official notification from Telus that their personal data had been compromised in a security incident. The timing creates a logical impossibility that corporate communications typically gloss over: if the account was deleted, why did Telus still possess the data to lose? This discrepancy exposes a gap between corporate deletion promises and actual data handling practices. Companies frequently assure customers that deletion means permanent removal, yet the Telus case suggests data may remain in company systems long after customers believe they've been erased.
Follow the Money
Whether this reflects negligent record-keeping, retention of "deleted" data in backup systems, or failure to properly execute deletion requests across all internal databases remains unclear from the customer's account. What is clear is that Telus possessed enough of the person's information to send them a breach notification—information they claimed to have removed. The mainstream media coverage of data breaches typically focuses on breach size and remediation steps offered to victims, rarely examining the upstream question: why did companies still have access to data customers explicitly asked them to destroy? This framing accepts corporate deletion claims at face value rather than scrutinizing whether deletion actually occurs. The Telus situation suggests a systematic gap between customer expectations and corporate practice that affects millions of people who've requested their information be removed. The incident also highlights the weakness of Canada's data protection enforcement.
What Else We Know
While privacy regulators exist, individual customers often lack recourse when deletion requests produce ambiguous results. The customer received confirmation of deletion, yet Telus apparently retained the data anyway. Without clear standards for what "deletion" means—whether it includes backups, archived systems, or disaster recovery files—companies can operate under different assumptions than the customers making deletion requests. The broader implication cuts to the heart of digital privacy: deletion may be theater rather than reality. When a customer requests removal, they likely assume the company will cease storing their information. The Telus case suggests companies may interpret deletion far more narrowly, perhaps removing active access while preserving data in systems that never make it to the deletion queue.
Primary Sources
- Source: r/privacy
- Category: Corporate Watchdog
- Cross-reference independently — don't take our word for it.
Disclosure: NewsAnarchist aggregates from public records, API feeds (Federal Register, CourtListener, MuckRock, Hacker News), and independent media. AI-assisted synthesis. Always verify primary sources linked above.