Conduent data breach grows, affecting at least 25M people

The spillover from a ransomware onslaught connected 1 of the largest authorities contractors successful the United States keeps getting bigger: much than 25 cardinal radical person present had idiosyncratic information stolen successful the hack.

Conduent provides printing, mailroom services, and papers and outgo processing services for authorities authorities payment operations, specified arsenic nutrient assistance, arsenic good arsenic workplace and unemployment benefits for ample corporations. As such, the institution handles a ample magnitude of idiosyncratic accusation belonging to a ample swath of the United States. Conduent says its exertion and operational enactment services scope much than 100 cardinal people.

But since the January 2025 cyberattack attack, which a ransomware radical claimed recognition for, the firm elephantine has said small astir the information breach, specified arsenic however it was caused and however galore radical are affected.

An update to the authorities of Wisconsin’s information breach notification page present shows the Conduent breach affects astatine slightest 25 cardinal radical crossed the United States.

TechCrunch’s ongoing tally from assorted information breach notification letters that we person seen besides amounts to astir 25 cardinal people, with Oregon (10.5 million) and Texas (15.4 million) accounting for the bulk of those affected. Other information breach notices seen by TechCrunch see different fewer 100 1000 individuals crossed Massachusetts, New Hampshire and Washington.

The breach is known to person compromised individuals’ names, dates of birth, addresses, Social Security numbers, wellness security information, and aesculapian data.

Conduent has said small extracurricular of its information breach notifications, and successful immoderate cases has made it much hard for affected individuals to larn astir the breach.

A leafage connected Conduent’s website, titled “Incident Notice” that was published successful October 2025 astatine the aforesaid clip arsenic its archetypal information breach notification, does not explicitly notation a cybersecurity incident. The leafage contains a hidden “noindex” tag successful its root code, which tells hunt engines to not database the leafage successful hunt results, making it hard for anyone searching the web to find it.

When reached by TechCrunch, Conduent spokesperson Sean Collins would not accidental however galore notifications the institution has sent to date, oregon wherefore the institution is hiding its incidental announcement from hunt engines.

Conduent’s breach has been billed arsenic 1 of the “largest ever,” but apt trails down the Change Healthcare hack, which affected much than 190 cardinal people pursuing a ransomware onslaught successful February 2024. A Russian-speaking ransomware pack stole reams of wellness and aesculapian information from Change Healthcare utilizing a stolen credential that wasn’t protected with multi-factor authentication, prompting the healthcare tech elephantine to wage astatine slightest 2 ransoms to support most of the stolen data disconnected the internet.