The Invisible Processor: Conduent, 25 Million Americans, and the Structural Problem Nobody Fixed
Commissioned, Curated and Published by Russ. Researched and written with AI.
What’s New: 14 March 2026
Initial publication. The Conduent breach is still developing – Wisconsin regulators updated their breach notification page in late February to reflect “25 million-plus” affected, but state-level disclosures are still trickling in. The Texas attorney general has opened an investigation; class-action litigation is consolidating in federal court. The victim count may still climb.
Changelog
| Date | Summary |
|---|---|
| 14 Mar 2026 | Initial publication. |
Twenty-five million Americans had their Social Security numbers, medical records, and insurance data stolen. Most of them have never heard of the company it was stolen from.
That company is Conduent Business Services – a Florham, New Jersey-based government contractor and data processor that, until recently, most people outside procurement and benefits administration had no reason to know existed. It provides back-office services for state government programs: Medicaid, SNAP, healthcare payment processing, unemployment benefits. It handles similar work for large private employers. Its own filings claim its technology and support services reach more than 100 million people in the United States.
That reach is not visible to the people whose data flows through it. That’s the story.
What Conduent Is, and Why It Has Your Data
Conduent is a Xerox spinoff. It was carved out in 2017 and has since operated as one of the largest back-office processing vendors in US government services. When a state agency needs to process Medicaid payments, administer benefits, or handle healthcare data at scale, they don’t build the infrastructure themselves – they procure it. Conduent wins a lot of those procurement contracts.
The result is a company that sits behind the scenes of a significant portion of US public services. Conduent’s platforms process benefits for Medicaid programs in more than 30 states. They handle mailroom, printing, and payment operations for state benefit offices. They provide HR and claims administration to large private employers – including, it turns out, Volvo Group, whose roughly 17,000 employees are among those confirmed affected.
None of those individuals – Medicaid recipients, SNAP beneficiaries, Volvo employees – chose Conduent. They didn’t sign up with Conduent, agree to Conduent’s terms, or have any direct relationship with Conduent at all. Their data flowed to Conduent because a state government signed a procurement contract, or because their employer outsourced HR administration to a vendor that itself used Conduent downstream. The data subject had no visibility, no choice, and no notification path that didn’t run through a company they’d never heard of.
That’s the baseline condition before any breach occurs.
What Happened
Hackers – later identified as the SafePay ransomware group – gained initial access to Conduent’s systems on October 21, 2024. They spent nearly three months inside the environment before Conduent discovered the intrusion on January 13, 2025. During that window, SafePay exfiltrated approximately 8 to 8.5 terabytes of data.
Conduent filed a disclosure with the US Securities and Exchange Commission in April 2025 – three months after discovery. The company published an incident notice on its own website in October 2025, nine months after the breach was discovered. That notice contained a “noindex” meta tag in its source code, which tells search engines not to list the page in results. Conduent has not explained why. When TechCrunch asked, the company’s spokesperson declined to comment.
State breach notification letters began arriving in late 2025. Oregon disclosed 10.5 million affected residents. Texas initially reported around 4 million – then revised that figure to 15.4 million. The Wisconsin breach notification registry now shows the total at “25 million-plus.” The count grew slowly, state by state, notification letter by notification letter, across more than a year.
The drip-feed approach is not accidental. Breach notification law in the US is primarily state-level, which means a company with national exposure can discharge its legal obligations through a series of separate state filings rather than a single coordinated disclosure. The effect is that the scale of an incident never becomes visible at once. The Conduent breach hit 25 million people without ever producing a single headline that said “25 million people affected.” By the time the total was clear, the news cycle had moved on.
For context: Texas attorney general Ken Paxton called it “likely the largest breach in US history.” That characterisation is wrong – Change Healthcare’s 2024 Alphv/BlackCat ransomware attack affected 193 million people. But the Conduent breach is still significant: 25 million records, including Social Security numbers and medical data, exfiltrated by a ransomware group that had undetected access for 84 days.
Why This Data Specifically Is Damaging
Social Security numbers and medical records are not interchangeable with other personal data. They warrant specific attention because of what can be done with them and because neither can be changed.
A Social Security number, once leaked, is leaked permanently. You cannot rotate it the way you can a password or a payment card number. With a SSN, date of birth, and address – all confirmed as compromised in this incident – an attacker has everything needed to open credit accounts, file fraudulent tax returns, and apply for government benefits in someone else’s name. The downstream consequences run for years, typically surfacing when a victim tries to do something routine: file taxes, apply for a mortgage, check their credit.
Medical records introduce a different but related problem. Health insurance fraud is among the fastest-growing categories of identity crime – attackers use stolen identities to submit fraudulent claims, obtain prescriptions, or receive treatment under someone else’s coverage. This creates medical record poisoning: incorrect diagnoses, medications, or treatment histories attached to a real person’s file. In a medical emergency, that’s not just inconvenient.
The combination – SSN plus medical data plus insurance information – is particularly useful for attackers because it enables both financial fraud and healthcare fraud simultaneously, and the two fraud streams can run for years before they’re detected and linked.
Twenty-five million people’s risk profile changed permanently in October 2024. Most of them still don’t know it.
The Structural Problem
This is not primarily a story about ransomware. SafePay is competent and well-documented, but the attack vector here – ransomware on a back-office data processor – is not novel. The structural problem is that Conduent could hold 25 million people’s most sensitive data while being invisible to all of them.
Every organisation that processes sensitive data at scale uses third-party processors. Payroll vendors, benefits administrators, healthcare clearinghouses, billing processors – they handle data on behalf of the primary organisation, and the data subject typically has no direct relationship with them. Legal frameworks acknowledge this. HIPAA requires Business Associate Agreements (BAAs) between covered entities and their data processors. GDPR requires Data Processing Agreements (DPAs) and mandates that data controllers document their processing activities.
But BAAs and DPAs are legal instruments. They define liability allocation and contractual obligations. They do not audit security controls. They do not require the processor to demonstrate that its environment is adequately hardened against an 84-day intrusion. In practice, the primary organisation – say, a state Medicaid agency – knows they have a BAA with Conduent. They may have very little visibility into what Conduent’s actual security posture looks like, who Conduent’s own subprocessors are, or whether Conduent’s detection capabilities could catch a slow-moving intrusion before 8 TB walks out the door.
This is the structural gap. Third-party and supply-chain risk is well-understood as a category; it’s less well-managed in practice, particularly in government contracting where procurement cycles are long, vendor lock-in is high, and security requirements in contracts often lag the threat environment by years.
The question for engineering and data leadership is not “how do we stop ransomware” – that’s necessary but insufficient. It’s: do you know who your third-party processors are? Not just the vendors you contracted directly, but the processors your processors use? And for those downstream processors, do you have any visibility into their security controls, or just a signature on a BAA?
What This Means for Engineering and Data Leadership
Three concrete practices that the Conduent breach argues for:
Third-party processor inventory. Most organisations have a list of first-tier vendors. Fewer have a complete picture of their data supply chain – the subprocessors their vendors use, and the subprocessors those vendors use. Data access governance requires knowing where your data actually lives, not just where you sent it. GDPR Article 30 requires a Record of Processing Activities (ROPA); that’s a start, but it needs to extend down the processor chain.
Security requirements in procurement, not just contracts. A BAA defines what happens when a breach occurs. It does not prevent the breach. Government Medicaid procurement contracts, in particular, tend to specify service levels, data handling obligations, and audit rights – but security control requirements are often vague, and independent auditing of those controls is rare. Stronger processor security standards in government contracting would have required Conduent to demonstrate detection capability, access control auditing, and data mapping that makes victim counts less likely to quadruple during investigation.
Notification design that respects disclosure obligations at the actual scale. The argument here is not that Conduent should have violated state notification law. It’s that a company processing data for 100 million people should have the data mapping capability to know, within weeks of discovering a breach, which records were affected and how many people are involved. The revision from 4 million to 15.4 million Texas victims is a data mapping failure as much as a security failure. If you can’t quickly determine what was exfiltrated and whose it was, your data governance is not in a state that’s consistent with processing that data responsibly.
What Conduent Represents
You don’t get to choose who processes your data when it flows through government systems. If you receive Medicaid, SNAP benefits, or other state-administered services, your data goes to whatever vendors the state contracts with. You have no opt-out. You have no visibility. You have no direct notification when those vendors are breached – you get a letter from a company you’ve never heard of, months or years after the fact, telling you that your Social Security number is in the wild.
The security of that data depends entirely on procurement standards and processor controls that most people never see. That’s a governance problem before it’s a security problem. Conduent is what happens when those controls fail at scale – and when the systems designed to disclose the failure are structured in ways that make the scale invisible until it’s too late to do much about it.
SafePay spent 84 days inside Conduent’s environment. That’s not a zero-day. That’s a detection gap. And the 25 million people whose data left during those 84 days had no way to know it was happening, no way to have prevented it, and no way to fully recover from it now.
Sources: TechCrunch, Malwarebytes, GovInfoSecurity, Conduent SEC filing (April 2025)