A data breach at government technology giant Conduent appears to affect far more people than first disclosed. The number of victims potentially stretches to dozens of millions of people across the United States.
The January 2025 ransomware attack, which knocked out Conduent’s operations for several days, is now known to affect at least 15.4 million people in Texas alone. This accounts for about half of the state’s population. Conduent had previously said in October that 4 million people across the state were affected.
Another 10.5 million people are affected across Oregon, according to the state’s attorney general. Conduent has also notified hundreds of thousands of people across Delaware, Massachusetts, New Hampshire, and other states. The stolen data includes individuals’ names, Social Security numbers, medical data, and health insurance information.
Conduent is one of the largest government contractors today. It handles and processes large amounts of personal and sensitive information on behalf of large corporations, government departments, and several U.S. states. The company says its technology and operational support services reach more than 100 million people in the United States across various government healthcare programs.
When contacted with several questions about the data breach, Conduent spokesperson Sean Collins provided a boilerplate statement. It did not address the questions, nor did it answer if Conduent knows how many individuals are affected by the cyberattack. The spokesperson would not say if the breach affects more than 100 million people.
Collins said the company has been working to conduct a detailed analysis of the affected files to identify the personal information taken in the breach. However, he would not say how many data breach notifications the company has sent out to date.
Little else is known about the breach, and the company has disclosed few details. Conduent disclosed the cyberattack in April, months after hackers knocked out the company’s systems. This resulted in outages to government services across the United States.
The Safeway ransomware gang took credit for the breach, claiming to have stolen over 8 terabytes of data. In a later SEC filing, the company said the stolen data sets contained a significant number of individuals’ personal information associated with its clients’ end-users, referring to its corporate and government customers.
Conduent also said it is continuing to notify individuals whose data was stolen in the breach and plans to conclude alerting individuals by early 2026. The company did not give a more specific timeline.