Executive Summary

Between October 21, 2024, and January 13, 2025, Conduent Business Solutions LLC experienced a significant data breach that resulted in unauthorized access to sensitive information belonging to over 10.5 million individuals. The breach was first discovered in January 2025 following service disruptions reported by state agencies, including the Wisconsin Child Support Trust Fund. Subsequent forensic investigations traced the initial intrusion to October 2024. The compromised data included names, Social Security numbers, dates of birth, addresses, health insurance information, and, in some cases, medical treatment and claims data. The incident affected a broad range of sectors, notably healthcare (including Medicaid and CHIP recipients), government agencies, and insurance providers such as Premera Blue Cross. Conduent notified law enforcement, engaged third-party forensic experts including Palo Alto Networks, and filed regulatory disclosures with state and federal authorities. The company reported $25 million in direct response costs as of May 2025. No specific threat actor, malware, or attack vector has been publicly identified. The breach remains under investigation, with ongoing notifications to affected individuals and regulatory bodies. All information in this summary is based on confirmed facts from primary sources as of October 2025 (Cybersecurity Dive, BankInfoSecurity, HIPAA Journal, SEC Filing).

Technical Information

The Conduent data breach is characterized by a prolonged period of unauthorized access, with the attacker maintaining a presence in the environment for nearly three months. The initial intrusion occurred on October 21, 2024, and was not detected until January 13, 2025. The breach was first identified after state agencies reported service disruptions, prompting a forensic investigation that revealed the scope and duration of the compromise (Cybersecurity Dive, BankInfoSecurity).

The specific method of initial access has not been disclosed in any public filings or statements. There is no evidence in the public domain of ransomware deployment, specific malware, or a confirmed phishing campaign related to this incident. The only technical evidence available is the timeline of unauthorized access and the persistence of the attacker within Conduent’s systems. No technical indicators of compromise (IOCs), malware hashes, or exploit details have been released by Conduent or their forensic partners, including Palo Alto Networks (Cybersecurity Dive, SEC Filing).

The compromised data sets varied by individual and client but included names, Social Security numbers, dates of birth, addresses, health insurance information, and, in some cases, medical treatment and claims data. Not all affected individuals had the same types of data exposed (BankInfoSecurity, HIPAA Journal). The breach impacted a wide range of Conduent’s clients, including state Medicaid agencies, health plans, government agencies, and insurance providers such as Premera Blue Cross.

The attack’s dwell time and the targeting of sensitive personal and health information are consistent with both financially motivated and state-sponsored threat actors, but there is no direct evidence or attribution to any specific group. The lack of technical artifacts or public attribution limits the ability to map the attack to a known threat actor or campaign.

Mapping the observed behaviors to the MITRE ATT&CK framework, the following techniques are possible but remain unconfirmed due to the absence of technical detail:

Initial Access may have involved T1078 (Valid Accounts) or T1190 (Exploit Public-Facing Application), based on the fact that unauthorized access was achieved and maintained. Persistence could have been achieved through T1078 (Valid Accounts), T1136 (Create Account), or T1505 (Server Software Component), inferred from the attacker’s ability to remain undetected for nearly three months. Data Collection and Exfiltration likely involved T1005 (Data from Local System), T1020 (Automated Exfiltration), or T1041 (Exfiltration Over C2 Channel), as large volumes of sensitive data were exfiltrated (Cybersecurity Dive, HIPAA Journal). However, these mappings are based on general patterns and not on direct evidence.

The breach’s impact was sector-wide, affecting healthcare (Medicaid, CHIP, health plans), government (state agencies, child support), and insurance. Over 10.5 million individuals were affected, including more than 4 million in Texas alone (HIPAA Journal). The incident led to service outages, delays in child support payments, and regulatory notifications across multiple states.

Conduent’s response included notifying law enforcement, engaging third-party forensic experts, and filing regulatory disclosures with state attorneys general and the U.S. Securities and Exchange Commission. The company reported $25 million in direct costs related to breach response as of May 2025 (SEC Filing). The full extent of the breach and its long-term impact remain under investigation.

In summary, the Conduent breach demonstrates the risks associated with third-party service providers handling sensitive data across multiple sectors. The lack of technical detail in public disclosures limits the ability to provide a comprehensive attack narrative or attribution. All technical claims in this section are based on primary source evidence, with confidence levels explicitly stated for each aspect.

Affected Versions & Timeline

The breach affected Conduent Business Solutions LLC’s systems that provide back-office processing and data management services to state agencies, health plans, and insurance providers. There is no evidence that a specific software version or product was targeted; rather, the compromise involved unauthorized access to Conduent’s enterprise environment.

The confirmed timeline is as follows: The initial intrusion occurred on October 21, 2024. The attacker maintained access until January 13, 2025, when the breach was discovered following reports of service disruptions by state agencies (Cybersecurity Dive, BankInfoSecurity). Regulatory filings and notifications began in April 2025, with ongoing notifications to affected individuals and state attorneys general through October 2025 (SEC Filing, HIPAA Journal).

The breach affected over 10.5 million individuals, including more than 4 million in Texas. Impacted sectors included healthcare (Medicaid, CHIP, health plans), government (state agencies, child support), and insurance providers such as Premera Blue Cross. The types of data compromised varied by individual and client, but included names, Social Security numbers, dates of birth, addresses, health insurance information, and, in some cases, medical treatment and claims data (BankInfoSecurity, HIPAA Journal).

Threat Activity

The threat activity associated with the Conduent breach is characterized by a long dwell time, with the attacker maintaining undetected access for nearly three months. The method of initial access remains unknown, as no technical details have been disclosed by Conduent or their forensic partners. There is no evidence of ransomware deployment, specific malware, or a confirmed phishing campaign in this incident (Cybersecurity Dive, BankInfoSecurity, SEC Filing).

No threat actor group has been publicly attributed to the breach as of October 2025. The attack’s characteristics—prolonged access, targeting of sensitive personal and health data, and impact across multiple sectors—are consistent with both financially motivated and state-sponsored actors, but there is no direct evidence to support attribution. The lack of technical artifacts, such as malware samples or command-and-control infrastructure, further limits attribution efforts.

The breach resulted in the exfiltration of sensitive data, including names, Social Security numbers, dates of birth, addresses, health insurance information, and, in some cases, medical treatment and claims data. The impact was widespread, affecting state agencies, health plans, and insurance providers. Service outages and delays were reported, particularly in child support payment processing and Medicaid services (Cybersecurity Dive, HIPAA Journal).

Conduent responded by notifying law enforcement, engaging third-party forensic experts, and filing regulatory disclosures. The company continues to investigate the full extent of the breach and its long-term impact.

Mitigation & Workarounds

Given the lack of specific technical details regarding the attack vector, mitigation recommendations are based on best practices for responding to large-scale data breaches involving third-party service providers. Recommendations are prioritized by severity.

Critical: Organizations that rely on third-party service providers such as Conduent should immediately review and update their third-party risk management (TPRM) programs. This includes conducting comprehensive risk assessments, verifying the implementation of robust access controls, and ensuring that service providers adhere to industry-standard security frameworks. Organizations should also require timely breach notification clauses in all contracts with third-party vendors.

High: All organizations should implement continuous monitoring of third-party access to sensitive data and systems. This includes deploying security information and event management (SIEM) solutions, enabling anomaly detection, and conducting regular audits of privileged accounts. Multi-factor authentication (MFA) should be enforced for all remote and administrative access.

Medium: Organizations should review and update their incident response plans to ensure they include procedures for responding to third-party breaches. This includes establishing clear lines of communication with vendors, regulatory authorities, and affected individuals. Regular tabletop exercises should be conducted to test these plans.

Low: Employees should receive ongoing security awareness training, with a focus on recognizing and reporting suspicious activity. Organizations should also ensure that all software and systems are kept up to date with the latest security patches.

Given the absence of technical indicators or confirmed attack vectors, organizations should remain vigilant for any signs of compromise in their own environments, particularly if they are clients of Conduent or similar service providers. Affected individuals should monitor their accounts for signs of identity theft or fraud and consider placing fraud alerts or credit freezes as appropriate.

References

https://www.cybersecuritydive.com/news/conduent-data-breach-began-2024-intrusion/803930/

https://www.hipaajournal.com/conduent-business-solutions-data-breach/

https://www.bankinfosecurity.com/back-office-servicer-reports-data-theft-affects-105m-a-29845

https://investor.conduent.com/static-files/a989f788-c11c-485f-8630-010d15fbf06e

About Rescana

Rescana provides a third-party risk management (TPRM) platform designed to help organizations identify, assess, and monitor risks associated with their external vendors and service providers. Our platform enables continuous risk assessment, automated evidence collection, and streamlined communication with vendors to support compliance and incident response efforts. For questions about this report or to discuss your organization’s third-party risk management needs, contact us at ops@rescana.com.