Govtech Giant Conduent Reveals Data Breach Now Affects Millions More Americans
Florham Park, Friday, 6 February 2026.
The scope of Conduent’s security failure has exploded, with confirmed victims in Texas alone jumping to over 15 million, significantly widening the impact of this government contractor breach.
Escalating Crisis: The Numbers Explode
New filings reveal that the security failure at Conduent Business Services, initially detected in January 2025, has compromised the personal data of a staggering number of individuals. In Texas alone, the number of confirmed victims has surged from an earlier estimate of 4 million to exactly 15,494,592, representing a dramatic increase of 287.365 percent [1][3]. When combined with the 10.5 million confirmed victims in Oregon, the total scope of the incident now exceeds 25 million Americans [3][4]. This upward revision comes as the company updates state attorneys general regarding the intrusion, which involved the theft of approximately 8 to 8.5 terabytes of sensitive data [1][3].
Anatomy of a “Govtech” Failure
While the ransomware attack paralyzed Conduent’s operations in January 2025, forensic analysis indicates the security breach began months earlier. Threat actors maintained unauthorized access to the government contractor’s systems for nearly three months, from October 21, 2024, until the intrusion was finally detected on January 13, 2025 [3]. During this window, the perpetrators—identified in reports as the “Safeway” or “SafePay” ransomware group—exfiltrated a trove of personally identifiable information (PII), including names, Social Security numbers, medical records, and health insurance details [1][3]. The breach is particularly critical given that Conduent’s technologies support government healthcare programs touching over 100 million people across the United States [6].
Financial Strain and Legal Headwinds
The fallout for Conduent (CNDT) extends beyond reputational damage to significant financial liabilities. The company projects that direct costs associated with the data breach will reach $25 million by the first quarter of 2026 [3]. This figure includes $9 million that had already been incurred by September 2025 [3]. Furthermore, the company is facing a wave of litigation; as of November 2025, at least nine class-action lawsuits had been filed in New Jersey federal court related to the incident [3]. Regulatory scrutiny is also intensifying, with potential investigations into whether appropriate cybersecurity measures were implemented prior to the attack [3].
Widespread Collateral Damage
The breach highlights the systemic risks inherent in the government technology supply chain, affecting a web of client organizations. Blue Cross and Blue Shield of Montana is currently notifying 462,000 individuals, while Blue Cross and Blue Shield of Texas has alerted approximately 310,000 plan members [3]. Notifications have also been dispatched to residents in New Hampshire, Indiana, and Maine as the full extent of the data loss becomes clear [3]. Conduent plans to conclude the notification process for all affected individuals by early 2026 [1][3].