The spillover from a ransomware attack on one of the largest government contractors in the United States keeps getting bigger: more than 25 million people have now had personal data stolen in the hack.
Conduent provides printing, mailroom services, and document and payment processing services for state government benefit operations, such as food assistance, as well as workplace and unemployment benefits for large corporations. As such, the company handles a large amount of personal information belonging to a large swath of the United States. Conduent says its technology and operational support services reach more than 100 million people.
But since the January 2025 cyberattack attack, which a ransomware group claimed credit for, the corporate giant has said little about the data breach, such as how it was caused and how many people are affected.
An update to the state of Wisconsin’s data breach notification page now shows the Conduent breach affects at least 25 million people across the United States.
TechCrunch’s ongoing tally from various data breach notification letters that we have seen also amounts to about 25 million people, with Oregon (10.5 million) and Texas (15.4 million) accounting for the majority of those affected. Other data breach notices seen by TechCrunch include another few hundred thousand individuals across Massachusetts, New Hampshire and Washington.
The breach is known to have compromised individuals’ names, dates of birth, addresses, Social Security numbers, health insurance information, and medical data.
Conduent has said little outside of its data breach notifications, and in some cases has made it more difficult for affected individuals to learn about the breach.
Techcrunch event
Boston, MA
|
June 9, 2026
A page on Conduent’s website, titled “Incident Notice” that was published in October 2025 at the same time as its first data breach notification, does not explicitly mention a cybersecurity incident. The page contains a hidden “noindex” tag in its source code, which tells search engines to not list the page in search results, making it difficult for anyone searching the web to find it.
When reached by TechCrunch, Conduent spokesperson Sean Collins would not say how many notifications the company has sent to date, or why the company is hiding its incident notice from search engines.
Conduent’s breach has been billed as one of the “largest ever,” but likely trails behind the Change Healthcare hack, which affected more than 190 million people following a ransomware attack in February 2024. A Russian-speaking ransomware gang stole reams of health and medical data from Change Healthcare using a stolen credential that wasn’t protected with multi-factor authentication, prompting the healthcare tech giant to pay at least two ransoms to keep most of the stolen data off the internet.
