Business services provider Conduent is notifying more than 10 million people that their personal information was stolen in a January 2025 data breach.
The incident was disclosed publicly in late January, when Conduent confirmed system disruptions that affected government agencies in multiple US states.
In April, the company notified the Securities and Exchange Commission (SEC) that the attackers had stolen personal information from its systems.
Last week, Conduent started notifying users that their personal information was stolen in the incident, and submitted notices to Attorney General’s Offices in multiple states.
The hackers accessed Conduent’s network on October 21, 2024 and were evicted on January 13, 2025, after the attack was identified, the company says in the notification letter to the affected individuals.
During the time frame, the attackers exfiltrated various files from the network, including files containing personal information such as names, addresses, dates of birth, Social Security numbers, health insurance details, and medical information.
Conduent is not providing the affected people with free identity theft protection services, but encourages them to obtain free credit reports, place fraud alerts on their credit files, and place security freezes on their credit reports.
“Upon discovery of the incident, we safely restored our systems and operations and notified law enforcement. We are also notifying you in case you decide to take further steps to protect your information should you feel it appropriate to do so,” the notification letter reads.
Based on the data breach notice submitted with the authorities in Oregon, it appears that 10,515,849 individuals were impacted, with the largest number in Texas (4 million).
Conduent serves over 600 government and transportation organizations, and roughly half of Fortune 100 companies, across financial, pharmaceutical, and automobile sectors. The company supports roughly 100 million US residents across 46 states.
While the company has not shared details on the threat actor behind the attack, the Safepay ransomware group claimed the incident in February.
SecurityWeek has emailed Conduent for additional information and will update this article if the company responds.
*Updated with the number of impacted individuals from the Oregon Department of Justice.
Related: Toys ‘R’ Us Canada Customer Information Leaked Online
Related: Prosper Data Breach Impacts 17.6 Million Accounts
Related: Hackers Steal Sensitive Data From Auction House Sotheby’s
Related: On Demand: Threat Detection & Incident Response (TDIR) Summit
