Conduent Breach Now Affects 25.9 Million Americans

The data breach at Conduent, one of the largest government technology contractors in the United States, keeps getting worse. What the company initially disclosed as a limited security incident in early 2025 has ballooned to at least 25.9 million affected Americans—and the final number is still climbing.

Texas alone accounts for 15.4 million victims, roughly half the state's population. Oregon adds another 10.5 million. Hundreds of thousands more have been notified across Delaware, Massachusetts, New Hampshire, and other states, according to updated reporting by TechCrunch.

What Was Stolen

The stolen data is as sensitive as it gets for government-services records:

• Full names
• Social Security numbers
• Medical records and health data
• Health insurance information

Conduent processes benefits, payments, and health services for state and local governments. That means the stolen records don't just belong to Conduent's employees or direct customers—they belong to ordinary Americans who interacted with government benefit programs.

The Safeway Ransomware Connection

The Safeway ransomware gang claimed responsibility for the attack, saying it exfiltrated over 8 terabytes of data from Conduent's systems. The group is a relatively newer ransomware-as-a-service operation that emerged in mid-2024 and has been targeting government contractors and healthcare organizations.

The original attack in January 2025 knocked out Conduent's operations for several days, disrupting benefit payments and government services. Ransomware-as-a-service operations like Safeway have proliferated rapidly—we tracked Qilin's 17-attack healthcare spree just last month. But it took over a year for the true scale of the Conduent breach to emerge—a pattern we've seen repeatedly with major data breaches where the initial victim count represents a fraction of the eventual total.

A Familiar Pattern With Government Contractors

Conduent isn't the first government technology provider to expose millions of records. The breach follows a pattern where contractors handling sensitive government data become high-value targets because they aggregate records from multiple state agencies into centralized systems.

We saw similar dynamics with the Sedgwick government solutions ransomware attack and the Illinois DHS data exposure that compromised Medicaid recipient information. Government contractors hold the keys to massive data stores, and attackers know it. Insurance data continues to be a prime target—Aflac lost 22 million records to Scattered Spider in one of the year's largest healthcare-adjacent breaches.

The timeline here is particularly frustrating. Conduent is still notifying affected individuals more than a year after the initial breach. For the 25.9 million people whose Social Security numbers were stolen, that's a year of exposure before they even knew they needed to take protective action.

What Affected Individuals Should Do

If you've interacted with government benefit programs in Texas, Oregon, Delaware, Massachusetts, or New Hampshire, assume your data may be compromised—even if you haven't received a notification yet.

1. Place a credit freeze with all three bureaus (Equifax, Experian, TransUnion)—this is free and prevents new accounts from being opened
2. Monitor your Social Security account at ssa.gov for unauthorized benefit claims
3. Watch for health insurance fraud—stolen medical data enables fake insurance claims that can affect your coverage
4. Be wary of targeted phishing using your personal details—attackers who have your SSN, medical records, and name can craft extremely convincing social engineering attacks

Why This Matters

Twenty-five million records isn't just a number. These are Social Security numbers and medical records belonging to people who had no choice in whether Conduent handled their data. They interacted with government programs, and a contractor's security failure exposed them. Enriched data keeps resurfacing on breach forums—AT&T's 176 million records with SSNs showed up again recently, proving these datasets have long shelf lives.

The breach also raises serious questions about oversight of government technology contractors. With states outsourcing core benefit administration to companies like Conduent, the security of those contractors directly affects millions of residents. The gap between the January 2025 attack and the February 2026 disclosure of the full scope—over a year—suggests the notification and audit processes for government contractor breaches need significant reform.

For the latest on data breach news today, we're tracking this story as additional states report their numbers.