The repercussions of a recent ransomware attack on Conduent, a major U.S. government contractor, continue to expand, now impacting more than 25 million individuals whose personal information has been compromised.
Conduent specializes in providing essential services such as printing, mailroom operations, and document processing for various state government programs, including food assistance and unemployment benefits for large corporations. With its technology supporting over 100 million people, the company handles a significant volume of sensitive personal data.
Since the cyberattack in January 2025, which a ransomware group has claimed responsibility for, Conduent has remained largely silent regarding the specifics of the breach, including its causes and the full extent of those affected. Recent updates from the state of Wisconsin indicate that the breach now encompasses at least 25 million individuals nationwide.
According to ongoing assessments by various data breach notifications, the majority of those impacted hail from Oregon (10.5 million) and Texas (15.4 million), with additional reports indicating hundreds of thousands more affected in states like Massachusetts, New Hampshire, and Washington.
The breach has exposed critical personal details, including names, dates of birth, addresses, Social Security numbers, health insurance information, and medical records.
Despite the scale of the breach, Conduent has offered limited information beyond its official notifications, sometimes complicating the process for affected individuals to understand the implications of the incident. A specific page on Conduent's website, labeled "Incident Notice," fails to mention the cybersecurity event explicitly and contains a hidden tag that prevents search engines from indexing it, making it challenging for concerned individuals to find.
When approached for comment, a spokesperson for Conduent did not disclose the number of notifications sent or the reasoning behind the decision to obscure the incident notice from search engines.
While this breach is considered one of the largest of its kind, it is still smaller than the Change Healthcare attack, which impacted over 190 million individuals following a ransomware incident in February 2024. This previous breach involved a Russian-speaking ransomware group that exploited unprotected credentials to steal extensive health and medical data.