What started as a seemingly contained data breach has erupted into one of the largest cybersecurity incidents in recent U.S. history, with business services provider Conduent at the center of a sprawling crisis. Over the past year, the number of Americans affected by the breach has ballooned from an initial estimate of 10 million to more than 25 million, with Texas and Oregon bearing the brunt of the fallout. The breach has not only exposed highly sensitive personal data but also triggered operational disruptions, lawsuits, and renewed scrutiny of how government programs rely on third-party technology vendors.
The breach timeline traces back to October 2024, when hackers first infiltrated Conduent’s systems. According to filings reviewed by TechCrunch and CySecurity News, the attackers maintained access until January 13, 2025, giving them nearly three months to exfiltrate data. Early reports in January 2025 indicated that around 10 million people were affected, but as state-level investigations unfolded, the numbers began to climb at a dizzying pace.
Nowhere was the escalation more dramatic than in Texas. State officials initially believed roughly 4 million residents had been impacted. However, subsequent disclosures revised that figure to at least 15.4 million, making Texas the hardest-hit state by far. Oregon’s tally also surged, with more than 10 million individuals caught up in the breach. “What began as a serious but seemingly contained data breach has turned into something far more alarming,” TechCrunch reported, noting that the breach now touches Americans in nearly every state, including hundreds of thousands in Delaware, Massachusetts, New Hampshire, and beyond.
The compromised data is especially sensitive. According to company notifications and state filings, exposed information includes names, addresses, dates of birth, Social Security numbers, and, in some cases, medical and insurance details. The breach’s impact is magnified by Conduent’s role as a critical backend provider for state and federal agencies. The company processes Medicaid claims, eligibility checks, child support, food assistance, and unemployment benefits—meaning those most at risk are often individuals who depend on government programs and whose health and financial data passed through Conduent’s platforms.
New Hampshire offers a stark example of how the breach’s scope kept expanding. In October 2025, Conduent informed the state’s Attorney General that nearly 11,000 residents had been affected. By February 17, 2026, after four additional letters, that number had soared to more than 181,000. “Conduent says it is now working to notify an additional 112,000 Granite Staters to warn them they were affected by a data breach,” WMUR News 9 reported, highlighting the company’s ongoing struggle to identify and notify all victims.
The breach’s origins are as troubling as its aftermath. The ransomware group SafePay claimed responsibility for the attack, asserting that it had stolen more than eight terabytes of data. The group also threatened to release the material publicly if its ransom demands went unmet. Conduent responded by securing its systems, bringing in forensic teams, and notifying government clients. In a September 30, 2025, filing with the Securities and Exchange Commission, the company confirmed that “significant numbers of individuals’ personal information associated with Conduent clients’ end-users” were included in the affected data sets.
The operational consequences were immediate and widespread. In January 2025, service outages rippled across several states, disrupting payments and customer support for agencies in Wisconsin and Oklahoma. The incident underscored how attacks on back-office providers can cascade into interruptions of public services, compounding the risks for already vulnerable populations.
In addition to government clients, private sector organizations have also been impacted. Volvo Group North America, for instance, reported in a filing with the Maine Attorney General that 16,991 employees were affected. Volvo only learned of the breach in January 2026, many months after the initial intrusion, illustrating the challenges companies face in tracking the downstream effects of such a massive cyberattack.
Legal and regulatory fallout has been swift and severe. Multiple class action lawsuits have been consolidated in federal court, with plaintiffs alleging that Conduent failed to adequately protect sensitive data and delayed notification to those affected. The company now faces potential damages, regulatory penalties, and long-term reputational harm. Security experts told TechCrunch and CySecurity News that the case highlights “a broader vulnerability in how government programs are administered,” warning that complex vendor relationships and technology supply chains can widen attack surfaces and slow detection when breaches occur.
For those caught in the breach, the advice is clear but daunting. Authorities and consumer advocates urge affected individuals to monitor their financial accounts, consider placing credit freezes or fraud alerts, review benefit statements for irregularities, and use dedicated support lines established by program administrators. As TechCrunch noted, “The longer personally identifiable information sits unprotected after a breach, the greater the window for fraud and identity theft to occur.”
Conduent has tried to reassure the public, stating that it has found “no evidence of attempted or actual misuse of the potentially affected information” to date. The company has established a dedicated call center and is offering free identity protection services to those affected. Consumer notifications, which began in the fall of 2025, are expected to continue through mid-April 2026 as the company works through the immense task of reaching every individual whose data may have been compromised.
The breach has reignited calls for tighter oversight and stronger baseline cybersecurity standards for any firm managing sensitive public-sector data. Lawmakers and regulators are now scrutinizing the safeguards in place for third-party vendors, and experts say the scale of the Conduent incident could be a watershed moment for how government contracts are awarded and managed in the future.
As investigations continue and more details emerge, the millions of Americans affected are left to grapple with the consequences of a breach that has upended their sense of security and trust in the institutions meant to protect them. The Conduent case serves as a stark reminder that in a world where personal data is currency, the cost of a breach can be measured not just in numbers, but in the very real risks to people’s lives and livelihoods.