The data breach at government tech giant Conduent appears to have affected more people than disclosed, with the number of victims possibly reaching tens of millions of people in the United States.
Ransomware attack January 2025, which shut down Conduent operations for a few daysnow known to affect at least 15.4 million people in Texas alone, accounting for about half of the state’s population. Conduent said in October that 4 million people across the country were affected.
Another 10.5 million people are affected in Oregon, according to the state attorney general.
Conduent has also notified hundreds of thousands of people in Delaware, Massachusetts, New Hampshire, and other states, according to data breach notices seen by TechCrunch.
The stolen data included individual names, Social Security numbers, medical data and health insurance information.
One of the largest government contractors today, Conduent handles and processes large amounts of personal and sensitive information on behalf of large corporations, government departments, and some US states. Company said technology and operational support services reach more than 100 million people in the United States in various government health programs.
When contacted with several questions about the data breach, Conduent’s spokesman, Sean Collins, provided a boilerplate statement that did not answer the question, nor did it say whether Conduent knew how many individuals were affected by the cyberattack. The spokeswoman would not say whether the breach affected more than 100 million people.
Collins said the company has been working to “conduct a detailed analysis of the affected files to identify any personal information” taken in the breach, but would not say which data breach notifications the company has sent so far.
No one knows about the breach, and the company has disclosed few details. Conduent announced a cyber attack in Aprilmonths after hackers overcame the company’s systems, causing disruptions to government services in the United States.
The Safeway ransomware gang take credit to publish, claiming to have stolen over 8 terabytes of data.
At later SEC filingthe company said the stolen data set “contains the personal information of several individuals associated with our client end users,” which refers to corporate and government customers.
Conduent also said it continues to notify individuals whose data has been stolen in publishing, and plans to end alerting individuals in early 2026. The company did not provide a more specific timeline.
Do you know more about Conduent cyber attacks? You can contact Zack Whittaker at Signal via the username zackwhittaker.1337 or via email: zack.whittaker@techcrunch.com.