conduent breach under investigation as lawsuits and state probes multiply

Conduent confirmed a major network intrusion that began Oct. 21, 2024, and persisted through Jan. 13, 2025 (ET), exposing files tied to millions of people. The revelation has prompted state-level investigations, litigation and scrutiny of how the business services firm protects client data.

Scope, timeline and data exposed

Conduent discovered the compromise on Jan. 13, 2025 (ET) and launched a forensic investigation with outside experts. The company says an unauthorized party had access from Oct. 21, 2024, to Jan. 13, 2025 (ET) and obtained files belonging to clients. Stolen data elements may include names, addresses, Social Security numbers, dates of birth, medical details and health insurance information.

Preliminary disclosures indicate the breach affects millions of individuals nationwide. A consumer protection alert cites an impact figure of roughly 10. 5 million people. State filings note nearly 11, 000 affected residents in one state and 4 million in another, while other client notices show pockets of exposure across a range of organizations and sectors. The ransomware group calling itself Safepay has claimed responsibility for the intrusion.

Legal and regulatory fallout accelerates

State attorneys general are pressing for documents and answers. The attorney general of one state has opened a formal probe and demanded records from both Conduent and affected clients to determine whether notification and security obligations were met. That official described the incident as likely among the largest breaches in U. S. history and pledged to pursue any evidence that could improve future protections.

Separately, consolidated class action litigation has been filed in federal court, alleging the company failed to implement basic security measures and did not adequately safeguard sensitive personal and medical information. Plaintiffs seek to hold the company accountable for the scope of exposure and any downstream harms from the theft of data.

Company response and client impacts

Conduent says it moved quickly to secure its environment, engaged forensic specialists, and continues to analyze which clients and data elements were affected. The firm maintains there is no current evidence that stolen information has been misused or publicly posted, and it says it will cooperate with investigators and regulators.

The ripple effects extend to multiple client organizations that relied on Conduent for back-office and administrative services. One large health-plan client was notified months after Conduent first identified the incident; that client later faced regulatory scrutiny for the timing of its consumer notifications and participated in a public administrative hearing in January 2026 (ET). A major transportation client disclosed exposure affecting roughly 17, 000 customers and staff, and several other companies have issued their own notices to impacted individuals.

Security experts warn that breaches at service providers can significantly broaden an incident’s reach because third-party vendors often hold or process large volumes of customer data across industries. The unfolding Conduent matter is drawing attention to vendor risk management, breach detection timelines, and how quickly downstream partners inform regulators and consumers once a compromise is identified.

For now, investigators and litigants are focused on establishing the full scope of the theft, whether any data has been misused, and how compliance and notification obligations were handled by Conduent and its clients. The company has pledged cooperation while the inquiry and litigation proceed.