Conduent breach widens as Texas reports 15.4 million affected

Conduent Business Services is facing an expanding fallout after state filings and consolidated reporting published Feb. 23, 2026 revised the scale of a cyber intrusion that was discovered in January 2025, with Texas alone reporting 15.4 million people affected and Oregon 10.5 million. The updated tallies, plus hundreds of thousands of notifications in Delaware, Massachusetts and New Hampshire, push the incident into the range of “tens of millions” of Americans whose personal information may have been exposed.

Conduent disclosed the initial incident in an April 2025 Form 8-K. The company said it has agreed to send notification letters on behalf of clients, set up a dedicated call center and expected to complete consumer notifications by April 15. The filing stated: "As previously disclosed in its April 2025 Form 8‑K filing with the SEC, in January 2025, Conduent discovered that it was the victim of a cybersecurity incident. With respect to that incident, Conduent has agreed to send notification letters, on behalf of its clients, to individuals whose personal information may have been affected by this incident. Working in conjunction with our clients, we expect to send out all of the consumer notifications by April 15. In addition, a dedicated call center has been set up to address consumer inquiries. At this time, Conduent has no evidence of any attempted or actual misuse of any information potentially affected by this incident."

Investigators and public filings also reflect claims by the Safeway ransomware gang that it exfiltrated more than 8 terabytes of data. Public reports cite exposed fields that include names, Social Security numbers, medical information and health insurance details, though Conduent has not released a complete, itemized inventory of data elements for all affected populations. The company has offered identity monitoring services to affected employees.

The incident has drawn scrutiny because Conduent manages systems for public programs and employer services that touch large swaths of the population, including Medicaid, unemployment programs, child support services and employer benefits. That concentration of government client work amplifies the potential human impact and complicates notification and remediation, as state agencies and contractors reconcile records and revise totals.

The evolving numbers have also prompted questions about detection and disclosure. State filings that revised Texas’s figure from an earlier estimate near 4 million to 15.4 million highlight gaps in internal visibility, and industry observers warned that vendor incidents are an increasingly central risk. One widely circulated industry comment noted, "The question is not whether your organization will face a vendor-related incident, but whether it will be prepared when it occurs."

Volvo confirmed on January 21, 2026 that its workforce had been impacted, illustrating the prolonged, downstream effects of a single vendor breach. Reporters have pressed Conduent about whether the breach could affect more than 100 million people across the company’s client footprint; leadership declined to answer.

Regulators and state agencies continue to update notices and totals, and legal scrutiny appears to be intensifying as attorneys and officials review potential consumer harms and contractual responsibilities. Public documents available so far do not identify a definitive aggregate count or a full forensic inventory of exfiltrated files, and several timelines in circulation contain contradictory dates that require reconciliation.

For policymakers and public-sector clients, the episode underscores gaps in vendor oversight, incident transparency and the need for clearer requirements on breach timelines and data inventories. For millions of affected Americans the immediate priorities remain clear: accurate notifications, verified identity protections and expedited answers about what specific personal information was exposed.