Overview

Conduent, one of the world’s largest business process outsourcing (BPO) companies, has confirmed a major data breach affecting more than 10.5 million people in the United States. The company provides back-office and digital services to state governments, healthcare programs, and insurance providers - meaning that many individuals may have been affected even if they’ve never heard of Conduent itself.

The breach, disclosed in early 2025 through state regulatory filings, is among the most significant data exposure events of the year. It highlights how vulnerable sensitive information can be when managed by third-party service providers that handle data for multiple clients.

How It Happened

According to Conduent, the company discovered unauthorized access to its systems on January 13, 2025. Further investigation revealed that the intruders had been active inside the network since October 21, 2024 - nearly three months before detection.

During that time, attackers reportedly accessed and exfiltrated data containing personal details such as names, addresses, dates of birth, Social Security numbers, and in some cases, medical and insurance information.

The company has not officially attributed the attack to any specific group, though reports circulating in the cybersecurity community link it to a ransomware gang claiming to have stolen several terabytes of data. Conduent says it took immediate steps to contain the breach, hired cybersecurity experts, and began notifying affected clients and individuals once the scope was confirmed.

Risks

The information exposed in this incident is highly sensitive and valuable to criminals. Stolen Social Security numbers and health-related data can be used for identity theft, fraudulent insurance claims, and medical identity fraud - a particularly damaging form of crime because it can lead to false entries in medical records.

Another key concern is the length of time the attackers remained undetected inside the system. Nearly three months of unauthorized access indicates gaps in monitoring or security visibility. Even if Conduent has since contained the attack, millions of individuals and the state programs relying on its services may face ongoing risks.

This case also underscores the growing problem of third-party risk. Many organizations rely on vendors like Conduent to manage critical operations - from processing healthcare claims to handling payments. When those vendors are breached, the impact cascades across multiple sectors and clients, often outside the direct control of the original data owners.

Recommendations

For those potentially affected, vigilance is key. Conduent has offered credit monitoring and identity protection services to help safeguard personal information, but individuals should also stay alert for suspicious emails, phone calls, or billing statements that could signal identity misuse.

People should regularly check their credit reports, update passwords for any related accounts, and enable two-factor authentication wherever possible. In the case of health insurance data, it’s wise to review claim histories and ensure no unauthorized activity appears.

For organizations, the incident serves as a reminder that vendor security is business security. Companies must audit their suppliers’ cybersecurity practices, enforce strong contractual protections, and ensure incident response plans extend to all third parties that handle sensitive information.

As digital ecosystems grow more interconnected, it’s not just about securing your own network - but also making sure the partners who manage your data are just as prepared.