A January 2025 ransomware attack on government technology giant Conduent has exploded into one of the largest data breaches in recent history, with confirmed victims now numbering at least 25.9 million Americans across multiple states. The breach, attributed to the SafePay ransomware gang, continues to expand as the company notifies additional victims more than a year after the initial intrusion.
The Scope of the Breach
Initially disclosed as affecting 4 million people in Texas, the breach has ballooned dramatically:
- Texas: 15.4 million people affected—approximately half the state’s population
- Oregon: 10.5 million people impacted
- Additional states: Hundreds of thousands more across Delaware, Massachusetts, New Hampshire, and other states
The SafePay ransomware gang has claimed responsibility for the attack, allegedly exfiltrating over 8 terabytes of data from Conduent’s systems.
What Data Was Stolen
The stolen data includes highly sensitive personal information:
- Full names
- Social Security numbers
- Medical data
- Health insurance information
Who Is Conduent?
Conduent is one of the largest government contractors in the United States, handling and processing personal and sensitive information on behalf of large corporations, government departments, and several U.S. states. The company claims its technology and operational support services reach more than 100 million people across various government healthcare programs.
The January 2025 attack knocked out Conduent’s operations for several days, resulting in outages to government services across the country. The company incurred approximately $25 million in direct costs related to breach response, according to its Q1 2025 earnings report.
Why This Matters
This breach demonstrates the devastating downstream impact of attacks on government service providers. When threat actors compromise companies like Conduent that serve as critical infrastructure for public services, the blast radius extends far beyond the immediate victim.
Key takeaways for organizations:
- Third-party risk management is critical—government contractors hold the keys to massive citizen data stores
- Delayed disclosure compounds the problem—victims only now learning their data was stolen over a year ago
- Healthcare data remains a prime target for ransomware operators due to its value on dark web markets
- The true scope of major breaches often takes months or years to fully understand
Conduent has stated it will conclude notifying affected individuals by early 2026, but the final victim count could climb even higher as the company continues its forensic analysis.
