Data breach at govtech giant Conduent balloons, affecting millions more Americans

A data breach at government technology contractor Conduent appears to be far larger than initially reported, with the total number of affected individuals now estimated to be in the tens of millions across the United States.

The ransomware attack, which occurred in January 2025 and disrupted Conduent’s operations for several days, is now known to have impacted at least 15.4 million people in Texas alone. That figure represents roughly half of the state’s population. In October, Conduent said that approximately 4 million people in Texas were affected.

An additional 10.5 million people are affected in Oregon, according to figures released by the state’s attorney general. Beyond those states, Conduent has also sent notifications to hundreds of thousands of individuals in Delaware, Massachusetts, New Hampshire, and several others, according to data breach notices reviewed by TechCrunch.

The compromised information includes highly sensitive personal data, such as individuals’ names, Social Security numbers, medical records, and health insurance details.

Conduent is one of the largest government contractors operating today and manages vast amounts of personal and sensitive information for major corporations, government agencies, and multiple U.S. states. The company says its technology platforms and operational support services reach more than 100 million people nationwide through a range of government healthcare and public service programs.

When contacted with a series of detailed questions about the scope of the breach, Conduent spokesperson Sean Collins provided a generic statement that did not directly address those questions. The spokesperson also declined to say whether Conduent knows the total number of individuals affected by the cyberattack, or whether that number exceeds 100 million people.

Collins said the company is continuing to “conduct a detailed analysis of the affected files to identify the personal information” that was taken during the breach, but would not disclose how many data breach notifications have been issued so far.

Much about the incident remains unclear, as Conduent has shared limited information publicly. The company first disclosed the cyberattack in April, several months after hackers had already disrupted its systems, causing nationwide outages that affected government services.

The Safeway ransomware gang later claimed responsibility for the attack, alleging that it stole more than 8 terabytes of data from Conduent.

In a subsequent filing with the U.S. Securities and Exchange Commission, Conduent said the stolen datasets “contained a significant number of individuals’ personal information associated with our clients’ end-users,” referring to both its corporate and government customers.

Conduent has also said it continues to notify individuals whose data was compromised in the breach and expects to complete the notification process by early 2026. The company did not provide a more precise timeline for when all affected individuals will be informed.