From 10M to 25M: Conduent Breach Balloons Into One of 2025’s Largest
Twenty-five million Americans are now caught in the wake of a cyberattack that quietly ballooned far beyond initial estimates.
What began as a reported breach affecting 10 million customers has more than doubled in scale, making the January 2025 ransomware attack on IT services giant Conduent one of the largest data exposures of the year. Eight terabytes of sensitive information, including Social Security numbers and medical data, were stolen after attackers infiltrated the company’s systems and triggered days of operational disruption.
Now, months later, the true scope of the damage is still coming into focus.
Details from the incident
Conduent officially reported the breach in April of last year and revealed it affected 10 million users. However, new data from sources outside the company suggests more people were impacted. The company, which serves over 100 million US customers across various states, has not responded to the latest numbers.
A Sept. 30, 2025, filing to the Securities and Exchange Commission (SEC) revealed the incident was detected on Jan. 13, 2025, following an operational disruption. In the filing, the company further reported that the attack affected only a limited number of its users.
Oregon was significantly impacted. According to the state’s attorney, as cited by Fox Business, the breach compromised the data of 10.5 million residents. Texas, however, appears to have been hit hardest: Updated figures show the number of affected individuals there surged to 15.4 million, up sharply from an earlier estimate of 4 million.
A ransomware group, SafePay, claimed responsibility for the breach, which caused an outage lasting several days, according to TechCrunch. The breach allowed the attackers to steal users’ social security numbers, names, and medical information, as is typical of many ransomware attacks.
Next steps for the company, affected customers
The company expects to pay $25 million under its notification agreement following the breach. It already disbursed $9 million of that amount before SEC filings and aims to finish all payments by early 2026.
Additionally, a clause in the SEC filing indicates that its cyber insurance policy would cover any excess payable amount beyond $25 million. The excess to be covered by its cyber insurance policy must be within the policy’s agreed limits.
The company earmarked $25 million for activities to identify and notify affected individuals and organizations. It also covers the cost of data protection and dark web monitoring, which the company said it quickly implemented. So far, no affected data has appeared on dark web forums.
While legal fees are also part of the funds, the company has yet to be officially fined by any court, and whether that will happen remains uncertain.
Affected customers are expected to monitor their email for notifications from Conduent regarding the incident and next steps. Since this involves data theft, we expect the attackers to either sell customers’ data or use it to run secondary attacks on them. As a result, affected customers should follow instructions from Conduent or its partners and remain on the lookout for potential phishing.
Also read how a zero-click Claude Desktop flaw put 10,000+ users at risk from nothing more than a Google Calendar invite.
About Author
