How the Conduent Data Breach Unfolded, and Why It Matters

A cyber intrusion inside Conduent stretched for nearly 3 months, from October 21, 2024, to January 13, 2025, and ended up pulling personal and health-related data tied to multiple client organizations and their end users.

By February 2026, the story had shifted from “cyber incident” to a multi-state enforcement and litigation problem, with regulators publicly putting numbers on the impact and demanding records, while Conduent continues to describe the final scope as complex and still being worked through client by client.

What Conduent Does, and Why the Blast Radius Matters

Conduent is a third-party services vendor that handles back-office and administrative work, including functions connected to health plans and government benefit services.

In its own incident notice, the company describes itself as providing services like printing and mailroom, document processing, payment integrity, and government benefit services.

That positioning is the risk multiplier: when an outsourcing provider is compromised, the affected population is often the customers’ customers, not just the vendor’s own workforce.

Timeline

What began as a contained intrusion inside Conduent’s network, spanning October 21, 2024 through January 13, 2025, escalated into a widening public reckoning as delayed notifications, growing victim counts, and state investigations pushed the incident into the spotlight.

October 21, 2024, to January 13, 2025: Access Window

Conduent says its investigation found an unauthorized third party accessed its environment during that period and obtained some files containing individuals’ personal information.

January 13, 2025: Disruption and Discovery

In a Form 8-K filed with the U.S. Securities and Exchange Commission, the company reported it experienced an operational disruption and learned a threat actor gained unauthorized access to a limited portion of its environment.

It says it activated its cyber response plan with external experts and restored affected systems within days, sometimes hours.

April 2025: Conduent Acknowledges Exfiltration and “A Significant Number” of Individuals

That same 8-K states Conduent determined the actor exfiltrated a set of files tied to a limited number of clients, and that review work confirmed the data sets contained a significant number of individuals’ personal information associated with clients’ end users.

October 2025 to Early 2026: Notifications Roll Out

In its 2025 annual report (Form 10-K), Conduent says individual and regulatory notifications began in October 2025 and were anticipated to conclude by early 2026.

That gap between discovery (January 13, 2025) and notification start (October 2025) is now a focal point for state officials, journalists, and plaintiffs’ lawyers.

What Data Was Exposed

Conduent’s public incident notice says the affected files may have included:

• Name
• Social Security number
• Medical information
• Health insurance information
  It also states not every data element was present for every individual.

Security industry reporting adds that the company described the underlying datasets as complex, and that it has been analyzing what data elements were potentially compromised for which clients.

How Big Was It and Why the Numbers Differ

@andy_thompson_

🏢 Conduent Breach Balloons to Millions 🏢 The data breach at government technology giant Conduent has expanded dramatically, now affecting millions more Americans. The Safeway ransomware group claims responsibility for stealing over 8 terabytes of data containing personal and health information. Conduent handles data for more than 100 million people across America, making this one of the largest breaches of 2026. Sources: • https://techcrunch.com/2026/02/05/data-breach-at-govtech-giant-conduent-balloons-affecting-millions-more-americans/ • https://mezha.net/eng/bukvy/massive-data-breach-at-conduent-exposes-millions-across-us-states/ • https://www.pkware.com/blog/2026-data-breaches Conduent DataBreach Ransomware GovTech Cybersecurity

♬ original sound – Andy Thompson – Andy Thompson

A single definitive nationwide total has been difficult to pin down publicly, partly because the stolen files were tied to multiple clients, and notifications appear to be running through client-specific populations and state-by-state regulatory channels.

Conduent itself framed the impact in its SEC reporting as “a significant number” while continuing its analysis.

Still, several government sources and state actions provide hard reference points:

• Texas: Office of the Attorney General of Texas says the breach exposed sensitive personal data of approximately 4 million Texans, and that the office issued Civil Investigative Demands to Blue Cross and Blue Shield of Texas and Conduent as part of its investigation.
• Oregon: A consumer protection alert from the Oregon Department of Justice lists 10,515,849 affected consumers for Conduent Business Services.
• Maine (registry listing): A state breach registry entry (as surfaced in search results) lists 7,640,112 total affected individuals and 20,970 Maine residents for Conduent Business Services, LLC.

The takeaway is not that one of these figures is “wrong.” It is likely that each figure reflects what a specific regulator had in hand at a specific time, tied to the populations reported into that channel.

Investigations, Subpoenas, and Public Hearings

State officials are now forcing the Conduent breach into the open, using investigative demands, subpoenas, and public hearings to pin down timelines, accountability, and the true scale of exposure.

Texas: Formal Demands for Records

Texas’s attorney general framed the Conduent incident as potentially the largest breach in U.S. history and said the office is investigating the breach window (October 21, 2024 through January 13, 2025), including exposure of protected health information for Texas residents and Texas Medicaid recipients.

Montana: A Public Hearing Conduent Tried to Keep Closed

A separate pressure point is Montana’s insurance regulator. The Montana Commissioner of Securities and Insurance announced that a state judge denied a request by Blue Cross and Blue Shield of Montana and Conduent to halt a public administrative hearing related to the data breach, with the hearing scheduled for January 22, 2026.

That matters for two reasons:

1. It signals regulators are treating third-party vendor exposure as an insurer accountability issue, not just an IT vendor issue.
2. It forces public fact development, even while parts of the breach analysis remain unfinished.

Lawsuits: Consolidation in New Jersey Federal Court

Conduent’s 2025 Form 10-K discloses that the company and its subsidiary are parties to multiple lawsuits brought by or on behalf of individuals who allegedly received notification letters, and that most of the lawsuits have been consolidated into a single action in the U.S. District Court for the District of New Jersey.

What Conduent Says About Dark Web Exposure and Costs

Across its SEC filings, Conduent has repeatedly said it has no evidence the exfiltrated personal information has been released on the dark web, describing ongoing monitoring.

The filings also put a price tag on response activity:

• A $25 million non-recurring charge recorded in Q1 2025 tied to notification requirements.
• $17 million in cash disbursements through December 31, 2025, with an expected additional $8 million during the first half of 2026 related to notification requirements.
• The company states it maintains cyber insurance and expects notification expense above those amounts up to the coverage limit to be covered, while noting uncertainty around costs beyond notifications.

What to Watch Next

1. Whether regulators align on a stable nationwide victim count as notifications conclude, since Conduent said the process was expected to wrap in early 2026.
2. What comes out of the Montana hearing record, since the judge’s refusal to block it increases the odds of detailed, sworn timelines becoming public.
3. How the consolidated New Jersey litigation develops, especially around the notification timeline and alleged security failures.
4. Whether additional state attorneys general follow Texas’s approach with formal investigative demands, using state consumer protection and health data frameworks to pry loose internal communications and security controls.