A significant data breach at Conduent, a prominent technology firm based in New Jersey, has affected at least 25 million Americans, with approximately half of Texas’ population impacted. The breach, which involved sensitive information including Social Security numbers and health insurance data, was initiated by hackers in October 2024 but went undetected until its discovery on January 13, 2025.
As details continue to emerge regarding the extent of the breach, Texas officials dramatically revised their estimates, increasing the number of affected individuals from 4 million to 15.4 million, a staggering increase of 285%. In Oregon, an estimated 10.5 million residents may also have had their sensitive data compromised, while victims from states such as Delaware, Massachusetts, and New Hampshire are also likely included in the breach.
The incident has led to significant legal ramifications, including multiple class-action lawsuits consolidated in federal court in New Jersey. These lawsuits allege that Conduent neglected to adequately protect personal and health data and delayed notifying victims about the breach for several months. A steering committee was appointed in December to manage the ongoing litigation, which poses potential liabilities for Conduent through damages, regulatory penalties, and negative repercussions with state clients.
Conduent plays a crucial role in managing essential backend systems for state governments across the U.S., dealing with various public benefits including Medicaid claims, child support payments, and unemployment insurance for around 120 million people. The breach was reportedly executed by the SafePay ransomware group, which has claimed responsibility for several high-profile hacks. SafePay announced that it had extracted approximately 8.5 terabytes of data from Conduent’s servers over the course of the attack and threatened to leak this data unless a ransom was paid.
While neither Conduent nor SafePay has confirmed the ransom amount or whether any payment was made, Conduent has stated that it took swift action to secure its networks, restore operations, and notify law enforcement while conducting an investigation with the help of third-party forensic experts. They have also stated that no evidence exists of personal information being leaked on the dark web.
In the wake of this breach, industry experts have underscored the vulnerabilities associated with third-party vendors. Josh Mason, Chief Technology Officer at RecordPoint, emphasized the need for improved transparency and faster detection methods across supply chains, as this incident has highlighted the potential risks that third-party dependencies can present.
As the situation develops, the focus will be on how Conduent manages the fallout and the measures taken to protect sensitive information going forward.