Full Report
American business services giant Conduent has confirmed that a 2024 data breach has impacted over 10.5 million people, according to notifications filed with the US Attorney General's offices. [...]
Analysis Summary
# Incident Report: Conduent 2024 Data Breach
## Executive Summary
Business process outsourcing (BPO) giant Conduent confirmed a significant data breach originating in 2024 that impacted at least 10.5 million individuals across various U.S. government clients. The incident, which was tied to ransomware activity earlier in 2025, resulted in the exfiltration of sensitive Personally Identifiable Information (PII) and health data. While evidence of current data misuse was not immediately found, affected individuals were advised to take precautionary credit monitoring steps.
## Incident Details
- **Discovery Date:** January 2025 (Service outage in early 2025 led to admission of cybersecurity incident)
- **Incident Date:** Compromise began as early as October 21, 2024.
- **Affected Organization:** Conduent (American business services giant, BPO)
- **Sector:** Business Process Outsourcing (BPO), Government Services
- **Geography:** United States (Notifications filed with various State Attorneys General, including Oregon, Texas, and Washington)
## Timeline of Events
### Initial Access
- **Date/Time:** On or before October 21, 2024.
- **Vector:** External cyberattack (Implied, likely executed by the Safepay ransomware group).
- **Details:** Threat actors gained access to Conduent’s environment, leading to a period of compromise lasting several months before detection.
### Lateral Movement
- **Date/Time:** After October 21, 2024, and prior to January 2025.
- **Vector:** Not explicitly detailed, but threat actor activity culminated in a service outage in early 2025.
- **Details:** Threat actors had sufficient time and access to steal client data and data from their customers’ clients.
### Data Exfiltration/Impact
- **Date/Time:** Prior to January/February 2025 disclosure.
- **Vector:** Data Theft.
- **Details:** Files containing customer information and data from Conduent’s clients were successfully exfiltrated. Notifications confirming impact were sent out to affected individuals in October 2025.
### Detection & Response
- **Date/Time:** Early 2025 (Service outage). The formal scope determination occurred later, leading to SEC filings in April 2025 and customer notifications in October 2025.
- **Response Actions:** Conduent acknowledged the incident, disclosed the theft of files via an SEC Form 8-K filing in April 2025, and began issuing state-mandated data breach notifications in October 2025.
## Attack Methodology
- **Initial Access:** Not specified, but occurred prior to October 21, 2024.
- **Persistence:** Implied, granted the attacker access capable of data exfiltration over several months.
- **Privilege Escalation:** Not detailed.
- **Defense Evasion:** Not detailed, but the ability to operate undetected from October 2024 until early 2025 indicates successful evasion.
- **Credential Access:** Not detailed.
- **Discovery:** Not detailed, but necessary to locate client data.
- **Lateral Movement:** Not detailed.
- **Collection:** Gathering client information and customer client data.
- **Exfiltration:** Stolen files containing sensitive data were exfiltrated from the systems.
- **Impact:** Exposure of PII and health information of millions of individuals.
## Impact Assessment
- **Financial:** Not explicitly disclosed, but the company suffered an operational outage early in 2025 and potential regulatory fines/remediation costs.
- **Data Breach:** Over 10.5 million individuals affected (Oregon notification alone). Data exposed included **Name, Social Security Numbers (SSN), full date of birth, health insurance policy or ID number, and medical information.**
- **Operational:** Experienced a service outage in early 2025 attributed to the cybersecurity incident.
- **Reputational:** Significant public disclosure regarding a major breach affecting millions of government/enterprise clients.
## Indicators of Compromise
*(Note: The article does not provide specific IoCs. The following are generalized based on the context of ransomware/data theft incidents.)*
- **Network Indicators:** Traffic associated with external connections communicating with known command-and-control (C2) infrastructure used by the Safepay ransomware group (if confirmed).
- **File Indicators:** Access patterns indicative of large-volume data staging and transfer outside normal operational hours.
- **Behavioral Indicators:** Unusual access patterns to databases containing high-value PII and Protected Health Information (PHI) during the October 2024 - January 2025 window.
## Response Actions
- **Containment:** Implied by the service outage in early 2025, likely involving isolating affected segments or services.
- **Eradication:** Not detailed, but must have involved removing unauthorized access established since October 2024.
- **Recovery Actions:** Restoring services following the outage and formal investigation closure, culminating in required public notification by October 2025.
## Lessons Learned
- Extended dwell time (months) indicates security monitoring gaps, allowing data exfiltration to occur long before the impact was fully realized or announced.
- The reliance on identifying incidents via service disruption rather than proactive threat detection proved insufficient for maintaining a secure client data environment.
## Recommendations
- Implement enhanced Endpoint Detection and Response (EDR) and 24/7 Security Operations Center (SOC) monitoring capable of detecting data staging and low-and-slow exfiltration activities.
- Conduct rigorous, frequent access reviews, especially for systems holding SSNs and health data.
- Segment high-value customer data environments rigorously to limit potential lateral movement following initial access.
- Immediately enhance credit monitoring/identity theft protection offerings for victims when PII/SSNs are compromised in future incidents; offering no services was noted negatively.