Conduent Breach Affected At Least 10.5M Victims: Disclosure

The breach — which was discovered in January and has reportedly been claimed by the cybercriminal group SafePay — included the compromise of data including Social Security numbers and medical information.

A data breach discovered in January at solution provider Conduent affected at least 10.5 million individuals, according to a disclosure posted by the Oregon Attorney General’s Office.

The Texas Attorney General’s Office, meanwhile, has disclosed that data compromised in the attack included victims’ names, Social Security numbers, medical information and health insurance.

The cybercriminal group SafePay has claimed responsibility for the Conduent breach, according to a BleepingComputer report. SafePay has also been linked to incidents including the disruptive ransomware attack against distribution giant Ingram Micro in July.

The Record had earlier reported that the Conduent breach claimed more than 10 million victims. In a statement provided to CRN Thursday, Conduent did not specify how many individuals were impacted in the breach.

“With respect to that incident, Conduent has agreed to send notification letters, on behalf of its customers, to individuals whose personal information may have been affected by this incident,” Conduent said in the statement, adding that it’s operating a call center to answer inquires on the incident.

The Florham Park, N.J.-based company said it has conducted a “detailed analysis of the affected files to identify the personal information contained therein, which was a time-intensive process.”

Breach notifications were sent out to impacted residents by Conduent between Oct. 8 and Oct. 24, the Oregon Attorney General’s Office disclosed.

Conduent, No. 29 on CRN’s Solution Provider 500 for 2025, had previously disclosed that the breach impacted personal data belonging to a “significant number of individuals.”

The breach was discovered in January but had begun as far back as October 2024, according to disclosures posted by the Oregon and Maine attorneys general websites.

‘Operational Disruption’

Conduent, which provides systems used to enable government services such as child support payments and food assistance, had previously said it experienced an “operational disruption” on Jan. 13 associated with the cyberattack.

In a filing in April with the U.S. Securities and Exchange Commission, Conduent said a threat actor was able to access a “limited portion” of the company’s IT environment during the incident.

Following an investigation, Conduent determined that the attacker “exfiltrated a set of files associated with a limited number of the Company’s clients” during the incident.

Experts that were engaged to evaluate the stolen data found it contained “a significant number of individuals’ personal information associated with our clients' end-users,” Conduent said in the SEC filing.

Conduent was previously among the major solution providers struck by a wave of ransomware attacks during 2020.