A ransomware attack on government technology giant Conduent has ballooned into one of the largest data breaches in recent history, affecting at least 25.9 million Americans - and the final count could soar much higher. The January 2025 breach, which initially appeared to impact 4 million Texans, now reveals a far more catastrophic scope as state attorneys general across the country report staggering victim numbers. With Conduent handling personal and health data for over 100 million Americans through government contracts, the company's silence on total victim counts is raising alarm bells across Washington.
The scale of the Conduent breach is unprecedented in govtech. What started as a January 2025 ransomware attack that knocked out operations for several days has metastasized into a data exposure event affecting tens of millions of Americans - with the final victim count still unknown.
Texas alone saw 15.4 million residents impacted, accounting for roughly half the state's population. That's a dramatic escalation from the 4 million initially reported in October. Oregon's attorney general confirmed another 10.5 million affected residents. Add in the hundreds of thousands notified across Delaware, Massachusetts, New Hampshire, and other states, and you're looking at a breach that could dwarf most corporate data disasters in recent memory.
The stolen information reads like a hacker's wish list. Names, Social Security numbers, medical data, and health insurance details - the kind of sensitive information that fuels identity theft and insurance fraud for years. And that's just what Conduent has acknowledged so far.
Here's what makes this particularly nasty: Conduent is one of America's largest government contractors, processing personal and sensitive data on behalf of corporations, federal agencies, and state governments. The company's own marketing materials boast that its technology reaches more than 100 million people across various government healthcare programs. That's nearly one in three Americans.
When pressed about whether all 100 million could be affected, Conduent went radio silent. Spokesperson Sean Collins provided only a boilerplate statement to TechCrunch, refusing to answer how many people are impacted or how many breach notifications the company has sent. Collins would only say the company is conducting a "detailed analysis of the affected files" - corporate speak that does little to reassure millions of Americans wondering if their most sensitive data is floating around the dark web.
The Safeway ransomware gang claimed responsibility for the attack, bragging about stealing over 8 terabytes of data. To put that in perspective, that's enough storage for millions of individual records, each packed with the kind of personal information that makes identity reconstruction possible.
Conduent's disclosure timeline raises its own red flags. The company didn't publicly acknowledge the cyberattack until April, months after hackers infiltrated its systems and caused widespread outages to government services across the country. In an SEC filing, the company finally confirmed what security researchers had been tracking for weeks.
A subsequent SEC filing revealed that the stolen datasets "contained a significant number of individuals' personal information associated with our clients' end-users" - referring to both corporate customers and government agencies. Translation: this isn't just about Conduent employees. This is about everyday Americans whose data the company was entrusted to protect.
The breach notification process itself has been glacial. Conduent says it plans to finish alerting affected individuals by early 2026 - nearly a year after the initial attack. But the company won't provide a specific timeline, leaving millions in limbo about whether their information was compromised.
This incident underscores a growing vulnerability in America's digital infrastructure. As government services increasingly outsource data processing to private contractors, a single breach can cascade across state lines, affecting populations larger than most countries. The fact that Conduent handles healthcare data makes it even more sensitive - medical records and insurance information don't expire, and they're invaluable for sophisticated fraud schemes.
Security experts point to this as a wake-up call for govtech oversight. When a contractor serving 100 million Americans can get breached without immediately disclosing the full scope, something's broken in the notification and accountability process. State attorneys general are now scrambling to figure out how many of their residents are affected, piecing together data that Conduent should have provided months ago.
The timing couldn't be worse. This breach comes as Congress debates stricter requirements for breach notifications and data security standards for government contractors. Conduent's case study in delay and opacity is likely to feature prominently in those discussions.
The Conduent breach represents a systemic failure in how America protects citizen data entrusted to government contractors. With at least 25.9 million victims confirmed and potentially 100 million at risk, this isn't just another data breach - it's a full-scale exposure of the vulnerabilities in our govtech infrastructure. As state attorneys general continue tallying victims and Conduent drags its feet on full disclosure, millions of Americans face months or years of identity theft risk. The real question isn't just how many were affected, but whether the oversight systems designed to prevent disasters like this are fit for purpose. Early 2026 can't come soon enough for victims still waiting to learn if their most sensitive information is compromised.
