Conduent Breach Surges to Over 25M, Could Be Largest in US History
The data breach that rocked government IT contractor Conduent back in January 2025 just keeps growing, and experts are now warning it could be the largest in US history.
What started as a cyberattack that the company initially described as affecting a limited number of users has snowballed into a crisis touching an estimated 25 million Americans, with no clear end to the count in sight. New state-level investigations are pushing the numbers higher by the week, and for many victims, a notification letter may be their first clue that their Social Security number, medical records, or health insurance information was ever compromised.
In Texas alone, the number of affected residents has climbed to 15.4 million, up from earlier estimates of about 4 million. Oregon has reported 10.5 million impacted individuals. Notifications have also gone out in states including Delaware, Massachusetts, New Hampshire, Georgia, South Carolina, New Jersey, Maine, and New Mexico.
Taken together, those figures alone push the total well beyond initial projections and could place the incident among the largest US data breaches on record.
Texas Attorney General Ken Paxton has described it as “likely the largest breach in US history,” adding that his office “is committed to uncovering exactly what went wrong… and ensuring there is justice for any negligence.”
Conduent’s response
In a statement provided to Fox News, a Conduent spokesperson said:
“As previously disclosed in its April 2025 Form 8-K filing with the SEC, in January 2025, Conduent discovered that it was the victim of a cybersecurity incident. With respect to that incident, Conduent has agreed to send notification letters, on behalf of its clients, to individuals whose personal information may have been affected by this incident.
Working in conjunction with our clients, we expect to send out all of the consumer notifications by April 15. In addition, a dedicated call center has been set up to address consumer inquiries. At this time, Conduent has no evidence of any attempted or actual misuse of any information potentially affected by this incident.”
The company added that it secured its networks, restored operations, notified law enforcement, and launched an investigation with third-party forensics experts “upon discovery of the incident.”
“Both Conduent and our third-party experts monitor the dark web regularly and have no evidence of any personal information being released on the dark web, ” the statement continued. “Rest assured, we have followed all of the right protocols and have assured our clients that we have secured the necessary data. Conduent has been working with law enforcement and takes this matter seriously. We regret any inconvenience this incident may have caused.”
Legal and financial fallout
Conduent is now facing heat from multiple directions at once.
Multiple lawsuits have been consolidated in the US District Court for the District of New Jersey, with plaintiffs alleging the company both failed to adequately protect sensitive data and waited far too long to notify the public. The gap between the January 2025 discovery and the start of consumer notifications in October 2025 (nearly nine months) has become a central flashpoint in the litigation.
On the financial side, Conduent has reported a $25 million non-recurring charge tied to breach notification requirements. As of the end of 2025, it had disbursed $17 million, with another $8 million expected in the first half of 2026. The company says its cyber insurance policy should cover notification costs within policy limits, but has flagged uncertainty around costs beyond that.
Conduent has said it continues to analyze the affected datasets and coordinate with clients to determine the full scope of exposure.
Also read: A similar case played out at Aflac, where a breach affected 22 million people and exposed sensitive personal and medical data.
About Author
