Conduent data breach grows, affecting at least 25M people

The fallout from a ransomware attack on Conduent, one of the largest government contractors in the U.S., continues to escalate, with personal information of over 25 million individuals compromised. Conduent plays a crucial role in providing document processing and payment services for state and corporate benefit programs, including food assistance and unemployment benefits. This means the company manages a vast amount of sensitive data belonging to millions of Americans. Since the January 2025 cyberattack, attributed to a ransomware group, details from Conduent about the breach have been sparse. An update on Wisconsin’s data breach notification page has confirmed that at least 25 million individuals across the country are affected. A report from TechCrunch, which has been tracking data breach notifications, indicates that the states of Oregon and Texas are particularly hard hit, with approximately 10.5 million and 15.4 million individuals impacted, respectively. Additional reports suggest that several hundred thousand more individuals from Massachusetts, New Hampshire, and Washington are also included in this breach. The data exposed in this incident includes critical personal details such as names, dates of birth, addresses, Social Security numbers, health insurance information, and medical records. Despite the severity of the situation, Conduent has remained largely silent, offering limited information beyond their official breach notifications. Alarmingly, a dedicated page on their website, named 'Incident Notice,' does not directly reference the cybersecurity incident, and it features a hidden tag that prevents search engines from indexing it, complicating efforts for affected individuals to find information. When approached by TechCrunch for clarification, Conduent’s spokesperson, Sean Collins, declined to disclose the number of notifications sent out or explain the rationale behind obscuring the incident notice from search engines. This breach is being labeled as one of the largest in history, although it still falls short of the Change Healthcare hack, which impacted over 190 million individuals after a ransomware attack in February 2024. The Change Healthcare incident involved a Russian-speaking ransomware group exploiting a vulnerability due to inadequate multi-factor authentication, leading to significant ransom payments to safeguard the stolen data from public release.