Conduent ransomware breach now affects at least 25 million Americans

Updated state breach notifications and regulatory filings show the Conduent Business Services ransomware incident now affects at least 25 million people in the United States, with Conduent telling Wisconsin regulators the incident affected "25 million‑plus" individuals, according to reporting and state postings compiled by TechCrunch and GovInfoSecurity.

The newly aggregated totals place the largest concentrations in Texas, where state filings put the number at roughly 15.4–15.5 million people, and Oregon, which state notices list at about 10.5 million. Those two figures comprise the bulk of the 25 million tally even as reporting notes inconsistencies: Texas figures rose from an earlier company estimate of about 4 million, and Tom’s Guide has flagged that Oregon’s 10.5 million exceeds the state’s population, a discrepancy state officials or Conduent have not yet explained publicly. Other named populations include about 462,000 Blue Cross Blue Shield of Montana plan members and about 17,000 Volvo employees and affiliates, according to client notices cited by GovInfoSecurity and TechCrunch.

State notices and reporting list the types of information that may have been exposed as names, dates of birth, addresses, Social Security numbers, health insurance details and medical information. Cybersecurity observers and outlets warn that the combination of SSNs and medical data raises heightened risks of identity theft, medical fraud and highly targeted scams for affected people who in many cases never had a direct relationship with Conduent.

Conduent’s internal investigation, as reported by GovInfoSecurity, found unauthorized access to its servers from Oct. 21, 2024, until discovery of the intrusion on Jan. 13, 2025, and the company first disclosed the incident in an April 2025 SEC filing. Darkweb monitoring platform Ransomware.live reported that a ransomware group identified in reporting as SafePay listed Conduent on a leak site in February 2025 and threatened to publish roughly 8–8.5 terabytes of stolen data; some outlets used a variant spelling of the group’s name in their coverage.

The widening scope has prompted regulatory scrutiny. Texas Attorney General Ken Paxton announced an investigation, and GovInfoSecurity reported that Montana’s attorney general opened a probe last October into the portion of the breach tied to Blue Cross Blue Shield of Montana. Wisconsin updated its data breach notification page and several other state agencies have issued or revised notices, the patchwork of postings serving as the primary source for the new aggregate totals reported by technology outlets.

The pattern underscores the systemic governance risks of third‑party vendors that process government and employer benefits. Conduent says its technology and operational support services reach more than 100 million people, and cybersecurity analysts have pointed to the difficulty consumers face when their data flows through vendors customers do not recognize. State filings remain the primary public record of who has been notified, leaving a fragmented picture of the incident’s full scope until Conduent issues a consolidated, company‑verified accounting.

Regulators and affected organizations have begun investigations and notifications, but the aggregate figures and state‑by‑state breakdowns should be treated as evolving. Journalists and state officials are calling on Conduent to confirm a consolidated nationwide total, explain the apparent state reporting discrepancies, and disclose what remediation and identity protection it will provide to impacted individuals.