In an alarming development for personal data security, Conduent Business Services, LLC has confirmed a massive data breach affecting millions across the United States. Notifications have started reaching individuals whose information was compromised, with the company revealing that an unauthorized third party accessed its systems for an extended period from late 2024 into early 2025.
This breach, initially disclosed in April 2025, has since escalated in scale. Both governmental and healthcare-related records have been compromised, impacting over 25 million individuals nationwide. "We recognize the serious nature of this incident and are committed to supporting those affected," said Conduent's spokesperson.
States affected include Texas, where more than 15.4 million residents have been reported impacted, up from an initial figure of 4 million. In Oregon, the number stands at approximately 10.5 million, while other states report hundreds of thousands more victims. This breach has positioned itself as one of the largest U.S. data breaches on record, though still trails behind the 2024 Change Healthcare breach, which affected nearly 193 million people.
%20(1)%20(1).webp)
Adding to the gravity of the situation, the Safepay ransomware group took credit for the breach shortly after it was made public. In a post on their dark web leak site, they claimed to have stolen an impressive 8 terabytes of data, which included critical personal information such as names, Social Security numbers, medical histories, and health insurance details. "We clearly stated our capabilities and intentions. The volume of data we’ve taken is significant," noted a representative from the group.
While Conduent has acknowledged the exfiltration of sensitive data, the company has refrained from verifying the exact quantity of data stolen or the claims made by the ransomware group. "While we are conducting a thorough investigation, we have not confirmed the full extent of the data that was taken," said a Conduent executive in a recent statement.
The timeline of Notifications and actions unfolded over several months:
- Late 2025 to February 2026: Affected individuals began receiving notifications on behalf of Conduent’s clients, which include various government agencies and private corporations. The company has projected that all notifications will be completed by mid-April 2026.
- April 9, 2025: Conduent filed an 8-K report with the Securities and Exchange Commission, describing an ongoing investigation into the breach. The report referenced a “threat actor” who had accessed files rather than a complete shutdown of operations or public data leaks at that time. Nonetheless, the company recognized that sensitive personal information of many individuals was compromised. "We have engaged data-mining experts to better understand and mitigate the effects of this breach," stated the filing.
The repercussions of this breach are already being felt. Consumers are urged to monitor their financial statements and credit reports carefully. "We encourage everyone to use protective measures such as identity theft monitoring services," warns cybersecurity analyst Dr. Emily Sowers.
As Conduent works to complete notifications and mitigate the damage, the cybersecurity landscape is once again facing scrutiny. Legislative action is anticipated as officials evaluate what measures can be put in place to bolster data security against similar incidents in the future. The incident shines a stark light on the vulnerabilities present in handling sensitive data across various sectors and the imperative urgency for robust cybersecurity frameworks.
The breadth of this breach underscores the critical need for improved security measures within corporations entrusted with significant personal data, especially those operating in sectors where confidentiality is paramount. The long-term implications of Conduent's breach will likely resonate across the cybersecurity community and prompt widespread calls for reform and increased vigilance.