Conduent Business Solutions
Analysis of the Conduent ransomware breach affecting over 25 million individuals including government benefits recipients. SafePay group claimed to have exfiltrated 8TB of data.
Published by the Scrutex.ai Research Team | February 2026
Disclaimer
This advisory is provided for informational and educational purposes only by the Scrutex research team. It is based entirely on publicly available reporting from the sources cited below. Where details are unconfirmed or disputed by the affected organisation, this is noted explicitly. Scrutex does not independently verify internal claims made by affected organisations or threat actors. This advisory should not be interpreted as a confirmed statement of fact regarding any organisation's security posture. Organisations concerned about their own exposure should conduct independent assessments and seek professional legal advice.
At a Glance
Organisation
Conduent Business Solutions
US-based IT services and payment processing provider for state governments and health insurers, handling benefits administration for programmes including SNAP and Medicaid.
Sector
Government IT Services / Healthcare
Region
United States
Date of Incident
October 21, 2024 to January 13, 2025 (three-month dwell time)
Date Disclosed
Early 2025 (initial); scope expanded through early 2026
Estimated Impact
Over 25 million individuals (and growing)
Data Types Exposed
Names, Social Security numbers, dates of birth, medical records, health insurance details, treatment information
Attack Type
Ransomware
Attack Vector
Ransomware deployment and claimed exfiltration of 8.5TB of data
Threat Actor
SafePay ransomware group
Current Status
Texas AG investigating. Class-action lawsuits consolidated. Notifications expected complete by April 2026. No evidence of data sold on dark web.
Severity Assessment
Critical. Over 25 million Americans affected across multiple states, making this potentially the largest data breach in US history.
What Happened
Conduent provides payment processing and benefits administration for US state governments and health insurers. The SafePay ransomware group claimed responsibility, asserting it exfiltrated over 8TB of data during a three-month dwell time from October 2024 to January 2025.
The breach initially appeared limited but expanded dramatically. Texas alone jumped from 4 million to 15.4 million affected residents. Compromised data includes SSNs, medical information, and health insurance details for recipients of SNAP, Medicaid, and other government programmes.
The Texas Attorney General has launched an investigation. Multiple class-action lawsuits have been consolidated in New Jersey federal court. Conduent has reported $25 million in direct breach-related costs.
Timeline
October 21, 2024
SafePay ransomware group gains initial access to Conduent systems
January 13, 2025
Unauthorised access terminated after three-month dwell time
Early 2025
Initial disclosure with limited scope
October 2025
Individual notifications begin
February 2026
Scope expanded to over 25 million individuals; Texas count rises to 15.4 million, Oregon to 10.5 million
Threat Actor Profile
SafePay is a ransomware group that emerged in late 2024 and rapidly became one of the most active groups targeting US government contractors and healthcare-adjacent organisations.
The group is known for large-scale data exfiltration prior to encryption, leveraging the volume of claimed stolen data as additional extortion pressure.
Impact and Risk Assessment
For Affected Individuals
Over 25 million Americans, primarily recipients of government benefits including SNAP, Medicaid, and other social services, have had their personal data compromised.
Exposed SSNs, medical records, and health insurance details create long-term identity theft and medical fraud risk for some of the most vulnerable populations in the United States.
The extended notification timeline means many affected individuals may not yet be aware their data was compromised.
For Organisations
Conduent has earmarked $25 million for breach-related costs, with cyber insurance covering excess amounts.
State governments that contracted with Conduent face political and regulatory fallout over their vendor selection and oversight.
Downstream corporate clients such as Volvo Group North America have been affected, demonstrating cascading supply chain impact.
Regulatory Context
The Texas Attorney General has launched a formal investigation. HIPAA breach notification requirements apply to the healthcare data component.
Class-action lawsuits have been consolidated in New Jersey federal court, potentially setting precedent for third-party contractor liability in government data breaches.
What Should You Do?
If You Are a Potentially Affected Individual
If you receive government benefits in the United States, monitor your credit reports and benefits accounts for signs of misuse.
Consider placing a fraud alert or credit freeze, particularly if you reside in Texas or Oregon where the largest populations were affected.
Be alert to phishing attempts that may reference government benefits programmes.
If You Are a Security or Risk Professional
Review your organisation's exposure to Conduent as a service provider and assess whether employee or customer data may have been included in the breach.
Use this incident to evaluate your vendor risk management programme, particularly for contractors handling government benefits data.
Ensure your contracts with third-party service providers include meaningful breach notification timelines and security requirements.
Learnings and Recommendations
This breach is a case study in third-party concentration risk. When a single contractor of this size is compromised, the fallout cascades across every entity that entrusted data to that contractor.
The notification timeline of more than a year between intrusion and individual notifications raises serious questions about third-party vendor oversight and contractual notification requirements.
This advisory is provided for informational purposes by the Scrutex.ai research team. It is based on publicly available reporting from the sources cited above. Where details are unconfirmed or disputed, we have noted this accordingly. Scrutex.ai does not independently verify internal claims made by affected organisations. Organisations concerned about their own exposure are encouraged to conduct their own assessments and seek professional advice where needed.
Stay ahead of the next breach
Scrutex monitors dark web sources, breach databases, and threat actor activity continuously, detecting exposure that affects your organisation before it becomes a headline.