Conduent data breach could be largest in U.S. history
A cyberattack that gave hackers access to conduent Business Services’ network from Oct. 21, 2024, to Jan. 13, 2025, has left millions of people with potentially exposed personal and medical records, and notification letters are already being mailed to affected individuals.
Conduent timeline and scope
Conduent discovered the intrusion on Jan. 13, 2025, after an internal investigation concluded that attackers had access to the company’s systems for just under three months, from Oct. 21, 2024, to Jan. 13, 2025. The stolen files may include names, addresses, Social Security numbers, dates of birth, medical information and health insurance details, and notices have been sent to residents in Georgia, South Carolina, New Jersey, New Hampshire, Maine, Massachusetts and New Mexico.
The Oregon Department of Justice maintains a running count of affected people and has placed the total at about 10. 5 million; state health and government programs and corporate clients that use Conduent’s mailroom and back-office services are among those tied to the incident.
Legal fallout and investigations
State officials and litigants moved quickly after the breach. The Texas Attorney General called the incident likely the largest breach in U. S. history and opened an investigation, and a consolidated class action lawsuit has been filed in New Jersey federal court alleging lapses in basic security. Conduent has said it will cooperate with investigators and, in a filing with the U. S. Securities and Exchange Commission, acknowledged that the stolen data included a "significant number" of individuals’ personal information tied to its clients’ end users.
Notices, protections and steps for affected people
Letters sent to potentially impacted people do not always name the client that contracted with Conduent, making it difficult for recipients to trace the original source of their compromised records. The notices offer one year of free credit monitoring for people who sign up by April 30, 2026, and include a support phone line, 877-332-1658, available Monday through Friday from 9 a. m. to 9 p. m. Eastern Time.
Officials have urged recipients not to discard the notification letters because they contain the specific information needed to enroll in the monitoring service by the April 30 deadline.
The breach has prompted scrutiny of how third-party business services handle highly sensitive personal and medical data, and it has already triggered state-level counts, an official investigation in Texas and federal litigation in New Jersey. The investigation’s timeline—access from Oct. 21, 2024, to Jan. 13, 2025—remains a central anchor for regulators and lawyers assessing exposure and responsibility.
People who receive notification letters must follow the enrollment instructions in their specific notice to obtain free credit monitoring by April 30, 2026; the Texas Attorney General’s inquiry and the New Jersey federal lawsuit are ongoing, and Conduent has stated it will work with investigators to provide relevant information.
