What they're not telling you: # Telus Data Breach Notification Raises Questions About Data Retention After Deletion Requests A Telus customer who requested account deletion in 2024 recently received a data breach notification from the company—suggesting the telecommunications giant may have retained personal information long after being asked to remove it. The customer, who shared their experience on Reddit's privacy community, said they followed Telus's deletion protocol by sending an email with the subject line "Unsubscribe" and received confirmation that their request had been processed. Despite this documented deletion confirmation, they were later notified by Telus that their data had been compromised in a security incident.
# THE TAKE: Telus's "Deleted" Data Isn't Actually Gone Here's what Telus won't tell you: deletion requests don't mean deletion. Your data likely sits in backup servers, archival systems, and third-party vendor databases—indefinitely. This isn't negligence; it's infrastructure design. When Telus notifies you about a breach affecting "deleted" accounts, they're revealing the uncomfortable truth: corporate data retention operates on a different plane than consumer consent. Your deletion request? Processed through a frontend system. Your actual digital footprint? Replicated across environments most employees never touch. This breach notification is Telus accidentally being honest. They can't protect data they claim doesn't exist—because it does. The company profits from this contradiction: appearing to honor deletion while maintaining shadow databases for "compliance" and "security purposes." The real story isn't the breach. It's that your digital death certificate was always ceremonial.
What the Documents Show
The timing raises a straightforward but uncomfortable question: if the account was deleted, why was there data to breach? This incident exposes a gap between corporate deletion policies and actual data practices. Telus instructed the customer to use a basic "Unsubscribe" email rather than directing them through a formal GDPR-style data deletion process or a dedicated privacy portal—a procedurally unusual approach that may reflect how casually some Canadian telecom companies handle deletion requests. The confirmation email the customer received offered no specificity about what data would be retained, for how long, or for what purposes. This vagueness matters.
Follow the Money
Many companies distinguish between account deletion (removing access credentials) and data deletion (permanently destroying personal information). Telus's process appears to have blurred this critical distinction. The broader context amplifies the concern. Canada's privacy regulations, including PIPEDA, generally require organizations to delete personal information when it's no longer needed for the purposes it was collected—though enforcement is notoriously weak. Telecommunications companies in particular hold sensitive data: call records, billing addresses, payment information, device identifiers, and sometimes location history. For a customer who explicitly requested deletion months before a breach occurred, retaining that data without clear justification or customer knowledge represents both a regulatory gray area and a practical security risk.
What Else We Know
What mainstream coverage typically misses is that this scenario isn't anomalous—it's structural. Companies have financial incentives to retain data for as long as technically and legally defensible: customer retention analytics, fraud prevention databases, and backup systems can all serve as justifications for keeping information even after deletion requests. Telus's use of an informal deletion method, rather than a formal data subject access request process, may have inadvertently created a documentation problem where the company itself might have unclear records about which customer data should have been purged and when. The customer's experience illustrates why ordinary people should be skeptical of deletion confirmations that lack detail. A confirmation email saying "your request has been processed" is not the same as a detailed receipt outlining exactly which data categories are being deleted, which are being retained for legal compliance, and when permanent destruction will occur. Without that transparency, customers have no way to verify whether a company actually honored their request or simply stopped sending marketing emails while warehousing their information elsewhere in the organization.
Primary Sources
- Source: r/privacy
- Category: Corporate Watchdog
- Cross-reference independently — don't take our word for it.
Disclosure: NewsAnarchist aggregates from public records, API feeds (Federal Register, CourtListener, MuckRock, Hacker News), and independent media. AI-assisted synthesis. Always verify primary sources linked above.