When government technology giant Conduent first acknowledged a cybersecurity incident in January 2025, the company characterized it as a relatively contained operational disruption. Months later, a far more alarming picture has emerged: one of the largest data breaches in recent U.S. history, affecting tens of millions of Americans and exposing critical vulnerabilities in how government services are outsourced to private contractors.
The January attack, carried out by the SafePay ransomware gang, resulted in the theft of massive amounts of personal information from a company that processes sensitive data for government agencies, healthcare organizations, and Fortune 500 companies across the United States. The breach has affected at least 25 million people, with the final count potentially climbing higher as Conduent continues sending notifications through early 2026.
The Breach by Numbers
The true scope of the Conduent breach has emerged slowly through a series of regulatory filings and state notifications. What Conduent initially described as affecting 4 million people in Texas alone has since ballooned to at least 15.4 million Texans—representing nearly half the state’s population.
Oregon reported another 10.5 million affected individuals through its systems. Additional hundreds of thousands have been confirmed across Delaware, Massachusetts, New Hampshire, and other states. Conduent states it will continue notifying affected individuals through early 2026, suggesting the final tally could climb even higher.
Timeline of Disclosure
The stolen data includes some of the most sensitive personal information: full names, Social Security numbers, medical records, and health insurance details. Unlike passwords or credit card numbers, Social Security numbers cannot be changed. Once compromised, they expose victims to years—potentially decades—of identity theft risk.
For the millions of economically vulnerable Americans who rely on government services processed by Conduent, the burden of monitoring credit reports and protecting their identities is particularly acute.
What Was Stolen
Conduent operates largely behind the scenes, but its reach is vast. The Florham Park, New Jersey-based firm provides technology-driven business process solutions to government agencies, healthcare organizations, transportation authorities, and Fortune 500 companies. Its services touch millions of Americans daily—from processing toll payments and child support disbursements to managing HR and benefits platforms for major corporations.
Conduent claims its technology and operational support services reach more than 100 million people in the United States across various government healthcare programs, making it one of the largest government contractors operating today. The company serves over 600 government and transportation organizations, as well as roughly half of Fortune 100 companies.
States Confirmed Affected
Perhaps as troubling as the breach itself is the manner in which Conduent disclosed information. The company didn’t publicly acknowledge the cyberattack until April—months after the January discovery. The initial characterization focused on operational disruption rather than data compromise. Only later, through SEC filings, did the company reveal that attackers had exfiltrated personal records.
According to Conduent’s SEC filing, the stolen datasets “contained a significant number of individuals’ personal information associated with our clients’ end-users.” This progressive revelation—from contained incident to massive data exfiltration—has drawn scrutiny from cybersecurity analysts, investors, and state regulators.
Government Services Disrupted
The immediate impact extended beyond data theft. State governments experienced significant service disruptions. In Wisconsin, the Department of Children and Families reported payment delays to thousands of families. Oklahoma’s Human Services Department similarly acknowledged processing delays. These disruptions affected child support payments, food assistance programs, Medicaid payments, and other essential government services.
This marks Conduent’s second major ransomware incident in five years. The company experienced a previous attack in May 2020, attributed to the Maze ransomware group, which notified 969 people of a data breach. The recurrence of such incidents raises questions about whether sufficient investments were made in hardening defenses and improving incident detection capabilities after the first breach.
For a company handling such sensitive data on behalf of government agencies—processing Medicaid payments, food assistance programs, and child support enforcement—cybersecurity should be paramount. The pattern suggests lessons from the 2020 breach may not have been fully implemented.
The Conduent breach fits a pattern of cybercriminals increasingly targeting business process outsourcing firms and managed service providers. These companies represent high-value targets because they aggregate data from multiple clients, offering attackers a single point of entry to vast troves of sensitive information. When a company like Conduent—which serves numerous state governments and Fortune 500 companies—is breached, the ripple effects extend far beyond the contractor itself.
What Affected Individuals Should Do
If you receive a notification from Conduent: Immediately freeze your credit with all three major bureaus (Equifax, Experian, TransUnion). Monitor financial accounts closely for suspicious activity. Consider filing taxes early to prevent tax fraud. Sign up for the offered credit monitoring, while recognizing its limitations. Document everything, including when you were notified and what information was compromised.
Conduent now faces challenges on multiple fronts. The company must complete its forensic investigation, fulfill notification obligations across multiple jurisdictions, defend against potential class-action lawsuits, and rebuild trust with government agencies and corporations that rely on its services. Each task carries significant financial and operational costs.
When contacted about the breach, Conduent spokesperson Sean Collins provided statements that did not address key questions about total victim counts or whether all 100 million individuals the company serves could be affected. Collins stated the company has been working to “conduct a detailed analysis of the affected files to identify the personal information” but would not confirm how many breach notifications have been sent.
For affected individuals, Conduent states it will provide credit monitoring and identity protection services—a standard response that cybersecurity experts increasingly view as insufficient. Credit monitoring is reactive, alerting individuals after fraudulent activity occurs rather than preventing it. More robust responses would include proactive identity theft protection, dedicated case management for victims, and long-term monitoring commitments.
Several states have initiated reviews of their contracts with Conduent, and at least one state agency has reportedly begun exploring alternative service providers. The incident has reignited debate about outsourcing core government functions to private companies, particularly when those companies may not face the same cybersecurity standards and oversight as government agencies.
Related cybersecurity developments continue to affect the technology sector. Amazon recently blocked piracy apps on Fire TV in a two-stage crackdown, while Google’s Gemini screen automation feature in Android 16 raises new privacy questions. Meanwhile, Adobe Animate faces shutdown in March 2026, and Apple’s Studio Display 2 rumors suggest a 90Hz refresh rate instead of 120Hz ProMotion.
The Conduent breach serves as a reminder that cybersecurity represents a fundamental business risk that can threaten organizational viability. Companies handling sensitive data on behalf of government agencies and large enterprises must invest accordingly in security infrastructure, adopt zero-trust principles, and maintain transparent communication when incidents occur. The importance of robust incident response plans cannot be overstated, as failures can cost $2 million per hour during active attacks.
The information covered here includes the January 2025 ransomware attack at Conduent, the progressive disclosure of affected individuals from 4 million to over 25 million, the types of personal data stolen, the timeline of events from October 2024 initial access through February 2026 ongoing notifications, and the state-by-state impact across Texas, Oregon, and other jurisdictions.
The discussion examined Conduent’s role as a major government contractor serving over 100 million Americans, the company’s 2020 Maze ransomware incident, the SafePay ransomware gang’s methods, and the disruptions to government services including child support and benefit payments. The responses from Conduent spokesperson Sean Collins and the company’s SEC filings were reviewed.
Steps for affected individuals were outlined, including credit freezes and monitoring recommendations. The broader context of supply chain vulnerabilities in business process outsourcing was addressed, along with ongoing reviews by state agencies of their Conduent contracts.
