Conduent breach exposes government program records for over 25 million; ransomware group claims 8TB

Conduent breach imperils government program records

Conduent, the business technology services firm that processes medical billing, toll transactions and prepaid cards for government programs, is confronting a major data-security crisis after disclosing a breach that began in October 2024 and is mitigated as of January 2025. The company says the intrusion now appears to affect more than 25 million Americans, with state reports pushing the scale far beyond early estimates. Texas officials raise the state toll to at least 15.4 million residents and Oregon reports over 10 million people affected; Conduent also notifies hundreds of thousands in Delaware, Massachusetts, New Hampshire and other states.

The exposed material includes names, Social Security numbers and sensitive medical information tied to the firm’s government clients’ end-users, Conduent says in a Securities and Exchange Commission filing. The scope of the compromise is striking given Conduent’s role as a back-office processor for public-sector benefits and payments, and officials and clients are assessing legal and operational fallout as investigators continue to analyse the stolen data sets. The company is coordinating with federal and state authorities while conducting an internal probe with outside cybersecurity specialists.

Conduent frames its immediate response around client and consumer outreach, regulatory compliance and remediation services. It establishes a dedicated call centre to handle inquiries, is offering support services to affected individuals and says it is working with clients on legally required next steps. The firm reports currently having “no evidence of any attempted or actual misuse” of the potentially affected information but acknowledges notifications and regulatory processes will continue as authorities review the incident.

Ransomware group claims extensive haul

The intrusion is claimed by the cybercriminal group calling itself SafePay, which says it stole more than 8 terabytes of data. Conduent confirms in SEC filings that investigators have found a significant volume of personal information in the harvested data; cybersecurity teams continue forensic work to determine what specific client systems and datasets were accessed.

Regulatory filings and consumer outreach timeline

Conduent’s SEC filing notes that individual and regulatory notifications begin in October 2025 and are expected to conclude by early 2026, and the company tells media it expects to send all consumer notifications by April 15. State and federal authorities are reviewing legal and regulatory implications while Conduent coordinates compliance and remediation with affected public- and private-sector clients.