The fallout from a ransomware attack on Conduent, one of the largest government contractors in the United States, continues to expand. More than 25 million people have now had personal data stolen in the hack.
Conduent provides printing, mailroom services, and document and payment processing for state government benefit operations, including food assistance, as well as workplace and unemployment benefits for large corporations. The company handles a vast amount of personal information for a significant portion of the United States, claiming its services reach more than 100 million people.
Since the cyberattack in January 2025, which a ransomware group claimed responsibility for, the corporate giant has shared few details about the breach. It has not explained how the attack was caused or fully disclosed the number of people affected.
An update to the state of Wisconsin’s data breach notification page now shows the Conduent breach affects at least 25 million people across the country. An ongoing tally from various data breach notification letters amounts to approximately the same number, with Oregon and Texas accounting for the majority of those affected. Notices also include several hundred thousand more individuals across Massachusetts, New Hampshire, and Washington.
The breach compromised sensitive personal information, including individuals’ names, dates of birth, addresses, Social Security numbers, health insurance information, and medical data.
Conduent has said little outside of its mandatory data breach notifications. In some instances, the company has made it more difficult for affected individuals to learn about the incident. A page on its website titled “Incident Notice,” published in October 2025, does not explicitly mention a cybersecurity event. The page contains a hidden tag in its source code that instructs search engines not to list it in results, making it hard to find through web searches.
When contacted, a Conduent spokesperson would not say how many notifications the company has sent or why the incident notice is hidden from search engines.
Conduent’s breach is considered one of the largest ever, though it likely trails behind the Change Healthcare hack. That attack, which began in February 2024, affected more than 190 million people. In that incident, a Russian-speaking ransomware gang used a stolen credential that lacked multi-factor authentication to steal health and medical data, leading the healthcare tech giant to pay at least two ransoms to prevent the data from being published online.