Conduent data breach expands, impacting at least 25 million individuals

The fallout from a ransomware attack on one of the largest government contractors in the United States continues to grow: personal data belonging to more than 25 million people has now been stolen.

Conduent supplies printing, mailroom, and document services, along with payment and processing support for state government benefit programs such as food assistance. It also supports workplace benefit operations and unemployment-related services for major corporations. Because of that role, Conduent handles enormous volumes of sensitive personal information connected to a wide portion of the U.S. population. The company has said its technology and operational support services reach more than 100 million people.

However, since the cyberattack in January 2025 — which a ransomware group claimed responsibility for — the company has provided limited detail about what happened, including how attackers gained access and how many people were ultimately affected.

A recent update to the state of Wisconsin’s data breach notification page now indicates that the Conduent breach impacts at least 25 million individuals across the United States.

An ongoing tally compiled from multiple breach notification letters reviewed also totals roughly 25 million people. Oregon (10.5 million) and Texas (15.4 million) make up the bulk of those impacted. Additional breach notices reviewed include several hundred thousand more individuals spanning Massachusetts, New Hampshire, and Washington.

The incident is known to have exposed a wide range of sensitive data, including names, dates of birth, home addresses, Social Security numbers, health insurance details, and medical information.

Outside of formal notification materials, Conduent has said very little publicly about the breach and, in some cases, has made it harder for affected people to find information about the incident.

A page on Conduent’s website titled “Incident Notice,” published in October 2025 around the time the company issued its first breach notification, does not clearly state that a cybersecurity event occurred. The webpage also contains a hidden “noindex” tag in its source code, instructing search engines not to index the page. That choice can make it difficult for someone searching online to locate the notice.

When contacted, Conduent spokesperson Sean Collins did not say how many notification letters have been sent so far or explain why the company’s incident notice is being kept from search engine listings.

The Conduent breach has been described as one of the “largest ever,” though it likely remains smaller than the Change Healthcare breach. That earlier hack affected more than 190 million people after a ransomware attack in February 2024. In that incident, a Russian-speaking ransomware group stole large volumes of health and medical data by exploiting a stolen login that was not protected by multi-factor authentication, and the healthcare technology company reportedly paid at least two ransoms to prevent most of the stolen data from being published online.