Mass Conduent Breach Now Linked to More Than 25 Million Americans, Texas Hit Hardest
Newly compiled breach reports show a massive expansion in the number of Americans affected by the cyberattack on Conduent, the government technology contractor. What began as a breach believed to affect around 10 million people now appears to reach more than 25 million, with Texas alone accounting for an unexpectedly large share of impacted records.
Scope of the breach and timeline
The intrusion began in October 2024 and was brought under control in January 2025 (ET). Early assessments identified names, Social Security numbers and medical information in the exposed files. Subsequent reviews and state-level disclosures have dramatically changed the picture: Texas revised its estimate to at least 15. 4 million affected residents, up from an earlier figure of about 4 million, while Oregon’s tally sits at roughly 10. 5 million. Hundreds of thousands more victims have been identified in smaller state cohorts.
The ransomware group known as SafePay claimed responsibility for the attack and asserted that more than eight terabytes of data were siphoned during the months-long intrusion. The group also made public threats to release the material if a ransom demand was not met. Conduent has said it secured its systems, engaged forensic teams and notified government clients as part of its response posture.
Government systems, beneficiaries and downstream risk
Conduent operates critical backend systems for many state agencies, handling functions that range from Medicaid claims processing and eligibility checks to child support, food assistance and unemployment systems. The company’s technology supports programs that serve tens of millions of people nationwide, and the exposure of personally identifiable and health-related data has direct implications for program participants across multiple states.
State filings and breach notices indicate that affected populations include recipients of government programs processed through the company’s platforms. The breadth of the intrusion raises concerns about downstream fraud, identity theft and disruptions to the delivery of benefits, even though Conduent has stated it has not found evidence of misuse of the potentially affected information to date. To help answer consumer questions, the company has established a dedicated call center and is coordinating client notifications under federal and state legal requirements.
Legal fallout and what to expect next
The disclosure surge has triggered litigation. Multiple class actions have been consolidated in federal court, with a plaintiffs’ steering committee named to coordinate the suits. Those lawsuits allege failures to adequately protect sensitive personal and health data and delays in notifying impacted individuals following discovery of the intrusion. Potential outcomes include significant damages exposure, regulatory penalties and long-term reputational harm for the contractor.
On the regulatory front, the case underscores renewed scrutiny of third-party vendors that process sensitive government data. Security experts warn that complex supply chains and vendor dependencies can widen attack surfaces and delay detection. The company has emphasized its cooperation with clients and regulators as it completes notification processes that began in the fall of 2025 and are expected to continue into early 2026, with plans in place to complete consumer outreach by mid-April.
For affected individuals, standard identity-protection measures remain advisable: monitor financial accounts, consider credit freezes or fraud alerts, review benefit statements for irregularities and use dedicated support lines set up by program administrators where available. The scale of this incident also renews calls for tighter oversight and baseline cybersecurity standards for firms that manage sensitive public-sector workloads.
