A ransomware attack on a major government contractor handling sensitive data for one in three Americans has exploded into one of the largest breaches in U.S. history, exposing over 25 million citizens’ Social Security numbers, medical records, and personal information to cybercriminals while the company downplayed the escalating crisis for over a year.
Story Snapshot
- Conduent data breach impacts 25.9 million Americans across multiple states, with Social Security numbers, medical records, and health insurance details compromised
- Government contractor processes sensitive data for 100 million Americans—one in three U.S. residents—through federal and state programs, including EBT, SNAP, and medical billing
- SafePay ransomware group stole 8 terabytes of data beginning in October 2024, but the full scope was hidden until February 2026, asthe victim count quadrupled from initial reports
- Texas sees 15.4 million residents affected—nearly half the state’s population—while Oregon’s reported victims exceed the state’s entire population
Government Contractor’s Massive Data Exposure
Conduent Inc., a Xerox spinoff managing critical government services since 2017, suffered a ransomware attack that compromised the personal data of at least 25.9 million Americans. The breach exposed names, Social Security numbers, medical records, and health insurance information of individuals across Texas, Oregon, Delaware, Massachusetts, New Hampshire, Indiana, Maine, and Vermont.
The company processes sensitive data for approximately 100 million Americans through federal agencies and state programs, including medical billing, EBT benefits, SNAP assistance, toll collection, and prepaid card services. This centralized data handling created a single point of failure affecting roughly one-third of all U.S. residents.
Conduent data breach exposed 25 million Americans – including half of Texas https://t.co/aW2sX6icLy pic.twitter.com/6haEhlplco
— New York Post (@nypost) February 9, 2026
Timeline of Escalating Crisis and Hidden Scope
The intrusion began in October 2024 when Conduent first discovered the breach and reported over 10 million affected individuals, including 4 million Texans. By January 2025, the SafePay ransomware group claimed responsibility and alleged theft of 8 to 8.5 terabytes of data, disrupting Conduent operations for several days. The company waited until April 2025 to publicly disclose the cyberattack.
An SEC filing on September 30, 2025 confirmed stolen datasets contained significant personal information, yet notifications continued dragging into early 2026. By February 2026, state attorney general reports revealed the true scale: Texas victims had ballooned to 15.4 million and Oregon to 10.5 million—a staggering undercount that quadrupled initial figures.
Unprecedented Scale Raises Government Oversight Questions
Texas’s 15.4 million affected residents represent nearly half the state’s population, while Oregon’s 10.5 million reported victims bizarrely exceed the state’s entire 4.9 million population—a discrepancy Conduent has not clarified. The breach occurs amid record U.S. data compromises in 2025, which saw 3,332 incidents affecting 232 million victims.
Government technology contractors present high-risk vectors due to centralized handling of sensitive data with apparently insufficient cybersecurity protections. Conduent spokesperson Sean Collins stated the company found no evidence of data misuse and offers 12 to 24 months of free credit monitoring, yet refused to confirm whether the full 100 million Americans in their systems remain at risk.
Long-Term Threats From Stolen Social Security Numbers
The theft of Social Security numbers and medical records creates sustained fraud risks extending years beyond the initial breach. Low-income Americans relying on EBT and government insurance programs face disproportionate vulnerability to identity theft and financial exploitation.
Conduent’s delayed notifications—extending past their promised April 15, 2026 deadline—leave millions uncertain about their exposure while cybercriminals potentially monetize stolen data.
The incident highlights dangerous government overreach in centralizing citizen data with private contractors lacking robust security, a practice that concentrates risk and erodes individual privacy protections. This massive failure demands accountability and raises fundamental questions about entrusting sensitive personal information to bloated government contractors with inadequate safeguards.
Data breach exposes personal data of 25M Americans
SafePay ransomware group claims to have stolen 8 terabytes of data containing personal informationhttps://t.co/wCY0tvD5oS
— The Big Bad Conservative Wolf (@RightWingNest) February 10, 2026
Conduent maintains a dedicated call center for affected individuals and continues detailed file analysis, though the company’s limited transparency throughout the 16-month ordeal undermines public trust.
With the total victim count potentially reaching 100 million and the full scope still uncertain, this breach represents an unprecedented failure in government technology security that exposes the vulnerability of Americans’ most sensitive personal data to foreign ransomware operations.
Sources:
Conduent Breach Explodes: 25M+ Americans Hit in Govtech Hack – TechBuzz
Data breach exposes personal data of 25M Americans – Fox Business
Massive government tech data breach expands to more than 25 million more Americans – Tom’s Guide
Data breach at govtech giant Conduent balloons, affecting millions more Americans – TechCrunch
Conduent data breach exposed 25M Americans – AOL
U.S. Data Breach Record 2025 – HIPAA Journal
7 Data Breaches & Exposures to Know About: January 2026 – Security Magazine
