American business services giant Conduent has confirmed that a 2024 data breach has impacted over 10.5 million people, according to notifications filed with the US Attorney General’s offices.
Conduent is an American business process outsourcing (BPO) company that provides digital platforms and services for governments and enterprises. The company was spun off from Xerox in 2017 and currently employs 56,000 people across 22 countries, having an annual revenue of $3.4 billion.
The company began sending data breach notifications to affected individuals this month, with the largest reported number coming from the Oregon government, which said 10.5 million people were affected.
Further data breach notifications shared on the Texas AG site report 4 million people, 76k in Washington, and a couple of hundred in Maine.
Given that Conduent provides services to several other states where specific data breach figures aren’t published, the actual impact could be far larger.
The data breach notifications state that people’s name, Social Security Numbers, full date of birth, health insurance policy or ID number, or medical information was exposed.
Conduent’s notification claims that, as of October 24, 2025, the time of its circulation, there’s no evidence that the stolen data has been “misused.”
BleepingComputer contacted Conduent to learn the exact number of impacted people nationwide, and we will update this post with their response once it reaches us.
At the start of the year, Conduent suffered a service outage that it later admitted was caused by a cybersecurity incident. Although the threat actor behind the attack wasn’t named, the Safepay ransomware gang took responsibility for it in late February.
In April, the firm disclosed in a Form 8-K filing with the SEC that threat actors had stolen files from its systems that contained customer information, as well as data from their customers’ clients.
An investigation into the scope of the data breach has now determined that the attack impacted millions of people. Furthermore, although the breach was discovered in January 2025, the environment had been compromised much earlier, on October 21, 2024.
Notification recipients are recommended to obtain credit reports and consider placing fraud alerts and a security freeze on their accounts, though no identity theft protection and credit monitoring services were offered in this case.
46% of environments had passwords cracked, nearly doubling from 25% last year.
Get the Picus Blue Report 2025 now for a comprehensive look at more findings on prevention, detection, and data exfiltration trends.
Discover more from Earlybirds Invest
Subscribe to get the latest posts sent to your email.
