Data breach at govtech giant Conduent balloons, affecting millions more Americans

A data breach at government technology giant Conduent appears to affect far more people than first disclosed, with the number of victims potentially stretching to dozens of millions of people across the United States.

The January 2025 ransomware attack, which knocked out Conduent’s operations for several days, is now known to affect at least 15.4 million people in Texas alone, accounting for about half of the state’s population. Conduent said in October that 4 million people across the state were affected.

Another 10.5 million people are affected across Oregon, per the state’s attorney general. 

Conduent has also notified hundreds of thousands of people across Delaware, Massachusetts, New Hampshire, and other states, according to data breach notifications seen by TechCrunch.

The stolen data includes individuals’ names, Social Security numbers, medical data and health insurance information.

One of the largest government contractors today, Conduent handles and processes large amounts of personal and sensitive information on behalf of large corporations, government departments, and several U.S. states. The company says its technology and operational support services reach more than 100 million people in the United States across various government healthcare programs.

When contacted with several questions about the data breach, Conduent spokesperson Sean Collins provided a boilerplate statement that did not address the questions, nor did they answer if Conduent knows how many individuals are affected by the cyberattack. The spokesperson would not say if the breach affects more than 100 million people.

Collins said that the company has been working to “conduct a detailed analysis of the affected files to identify the personal information” taken in the breach, but would not say how many data breach notifications the company has sent out to date.

Little else is known about the breach, and the company has disclosed few details. Conduent disclosed the cyberattack in April, months after hackers knocked out the company’s systems, which resulted in outages to government services across the United States.

The Safeway ransomware gang took credit for the breach, claiming to have stolen over 8 terabytes of data.

In a later SEC filing, the company said that the stolen data sets “contained a significant number of individuals’ personal information associated with our clients’ end-users,” referring to its corporate and government customers.

Conduent also said it is continuing to notify individuals whose data was stolen in the breach, and plans to conclude alerting individuals by early 2026. The company did not give a more specific timeline.

Do you know more about the Conduent cyberattack? You can contact Zack Whittaker on Signal via the username zackwhittaker.1337 or by email: [email protected].