State notices suggest Conduent breach may have exposed tens of millions

State attorneys general filings and media reviews of notification letters indicate the ransomware attack on Conduent Business Services may have reached far beyond the company’s initial disclosures, with at least 15.4 million Texans and 10.5 million Oregonians identified in recent notices. Those two state tallies alone suggest a breach that could touch tens of millions of people, and reporting based on additional filings lists thousands more across smaller states.

Conduent acknowledged the incident in a notification that said, “On January 13, 2025, we discovered that we were the victim of a cyber incident that impacted a limited portion of our network.” Forensic details reported by Malwarebytes say an unauthorized third party had access from October 21, 2024 until the intrusion was stopped on discovery, a window that security experts say allows ample time for data exfiltration.

TechCrunch, which reviewed state breach notices, reported that Texas filings list 15.4 million affected people, about half the state’s population, and that the Oregon attorney general reported 10.5 million affected residents. Malwarebytes’ update cites the Oregon figure as the single largest disclosure and lists additional state totals including 76,000 in Washington, 48,000 in South Carolina, 10,000 in New Hampshire and several hundred in Maine. Techbuzz Ai summed the two largest state counts to arrive at at least 25.9 million potentially affected, while other outlets have characterized the impact as “tens of millions” as tallies continue.

The numbers are inconsistent in places. Conduent previously disclosed a far smaller Texas impact in earlier communications — reported figures include 4 million and, in one media citation, 400,000 — leaving a major discrepancy between company statements and recent state filings. TechCrunch reporters say Conduent spokesperson Sean Collins provided a boilerplate statement and declined to answer follow-up questions, including whether the breach affected more than 100 million people or how many notifications the company had sent.

Multiple outlets and filings say the compromised data include names, Social Security numbers, dates of birth, medical information and health insurance details. Malwarebytes warned that the combination of those fields is sufficient to enable identity theft and fraud for exposed individuals. Conduent has previously said its technology and operational support services reach more than 100 million U.S. residents across government health programs; the company has not confirmed whether that full footprint was implicated.

Independent reporting also captured operational disruption. News outlets described the January ransomware incident as having “knocked out Conduent’s operations for several days.” A vendor-level compromise affecting a contractor with wide state footprints has raised alarms among procurement and cybersecurity officials who warn that centralized providers create single points of failure for multiple government systems.

A smaller number of outlets have advanced additional claims that remain uncorroborated in public filings. An analysis outlet reported that a ransomware group calling itself Safeway claimed to have taken 8 terabytes of files; that claim has not been independently verified by law enforcement or in Conduent’s disclosures. One analysis commentary characterized the episode as crossing “from a contained incident into a critical infrastructure vulnerability inflection point,” and urged close regulatory scrutiny and state contract audits in coming quarters.

State attorneys general offices and Conduent hold the primary records needed to reconcile the conflicting totals. Reporters and officials say the next steps should include releasing the underlying breach notices and timelines, clarifying which state programs and datasets were exposed, and confirming whether files have appeared on extortion sites. Until primary documents are produced, the full national scope of the incident remains uncertain even as the known state tallies continue to grow.