Conduent’s 2025 Data Breach Just Tripled, but the Victims are Still Not Notified

Remember when companies at least pretended to care about timely breach notifications? Yeah, it seems like Conduent didn't get that memo. What started as a "limited" ransomware attack in January 2025 is now looking like one of the most catastrophic government technology disasters in recent memory, with the victim count ballooning to at least 25 million Americans.

Of course, the “best” part in all this is that the company plans to wrap up notifications by "early 2026." Considering that it’s already February, that makes it more than a year after hackers first broke in.

What Happened at Conduent

Back in January 2025, Conduent discovered they'd been hacked, but not before the hackers spent roughly three months lurking in their systems prior to the incident before anyone noticed. The Safeway ransomware gang claimed responsibility, bragging about stealing over 8 terabytes of data containing Social Security numbers, medical histories, and health insurance information. The kind of stuff that doesn't expire and can fuel identity theft for years.tion. The kind of permanent identifiers that fuel identity theft and insurance fraud for years.

Conduent provides tech services to government agencies across multiple states, handling everything from Medicaid claims to child support disbursements – basically the digital backbone of America's social safety net, serving approximately 100 million Americans.

Now, tens of millions, if not more, have had their Social Security numbers, medical records, and health insurance information from government healthcare programs across multiple states compromised, and many are still not even aware of it.

The Numbers Keep Climbing

In October, the official Conduent’s report indicated that the affected number was about 4 million Texas residents. Seriously concerning, considering the sensitivity of the information, but still manageable. Fast forward to this week, and that number jumped to 15.4 million, making for roughly half of Texas's entire population.

But wait, there’s more. Oregon's reporting added another 10.5 million victims to the list. And if we also sum up hundreds of thousands across other states, we end up looking at over 25 million confirmed victims, with a decent chance of there being even more.

When reporters asked the obvious question, “Could all 100 million Americans in Conduent's systems be affected?” they were met with silence. The company gave only boilerplate corporate speak while refusing to answer how many people are actually impacted.

You know what that tells me? They either don't know the full scope of their own disaster, or they know and it’s so bad that they don't want to say. Neither option is reassuring when we're talking about Social Security numbers and medical records.

The Notification Timeline is Absurd

Believe it or not, it gets worse. The breach was discovered in January 2025, yet Conduent only plans to finish notifying victims by "early 2026" – more than a year after, with no specific timeline beyond that vague estimate. Could be February, could be March. Who knows?

Think about what that means. Your Social Security number, medical records, and insurance details could've been floating around the dark web for months, and you wouldn't even know to freeze your credit or watch for fraudulent medical claims. Some people are just now receiving notification letters dated December 2025.

This goes beyond regular corporate incompetence. It's genuinely negligent. These delays don't just inconvenience people but actively expose victims to identity theft, insurance fraud, and medical identity theft schemes that could haunt them for years.

And this is the same kind of government overreach problem we keep seeing: massive centralized databases holding everyone's most sensitive information, with apparently nobody ensuring they're actually protected. One breach shouldn't be able to compromise half of an entire state's population, but here we are.

The lawsuits are already piling up, with at least 9 class actions filed so far, and more coming. But that won't help the millions of people whose data is already out there. When your most sensitive information is compromised, you can't just patch it like buggy software. The damage is pretty permanent.