The Conduent Breach That Keeps Growing Exposes America’s Dangerous Experiment with Privatized Government

Guest Editorial by Aras Nazarovas, Senior Information Security Researcher, Cybernews

When 15.4 million Texans discovered their Social Security numbers and health records were compromised in the Conduent data breach, most might have asked the same question: “Who is Conduent?”

That’s exactly the problem.

Conduent is a New Jersey tech contractor most Americans have never heard of, yet it holds the most sensitive details of roughly half of Texas’ population. 

If someone has applied for Medicaid, received food assistance, filed for unemployment, or collected child support in Texas, their data flows through Conduent’s systems. No signup required. No consent given. Most never knew the company existed.

This is an invisible government. And it just failed at least 25 million Americans, a number that continues to climb as states uncover the full scope.

Breach Mechanics

The breach itself is mind-blowing. Hackers from the SafePay ransomware group infiltrated Conduent’s networks in October 2024 and remained undetected for nearly three months – a dwell time that points to serious gaps in monitoring, logging, and anomaly detection for a system holding Social Security numbers and health data – siphoning 8.5 terabytes of data.

In most mature environments, exfiltration on that scale would trip multiple alarms on data loss prevention tools or network segmentation controls. The fact it didn’t should terrify every state CIO.

The attack wasn’t discovered until January 2025, and states are still uncovering the damage. Texas alone revised its victim count from 4 million to 15.4 million – a 285% increase that suggests officials had no idea how much data was actually stolen.

Systemic Risk

Here’s what should worry anyone watching American governance: Conduent operates in 46 states, processes over 500 million Medicaid claims annually, and handles benefits for approximately 120 million people. It’s the backend of America’s social safety net, and most citizens don’t know it exists until it breaks.

This is a textbook vendor failure for states: they trusted Conduent's audits, but those missed basic gaps like weak computer monitoring, no real data leak alarms, and sloppy network walls.

When the IRS or Social Security Administration mishandles data, voters can demand answers. Elections have consequences. But Conduent is a publicly traded company whose stock has collapsed 90% since 2018, now worth less than $1.50 per share. It answers to shareholders, not citizens.

Accountability Gap

The U.S. handed off vital government jobs to private companies without forcing them to match federal security rules, like the strict standards the IRS or hospitals must follow for spotting hackers fast, not letting them lurk undetected for three months.

There’s no transparency, no citizen-accessible oversight, and when breaches happen, companies often deploy lawyers faster than security patches.

The Conduent breach reveals an ugly truth: states handed your most private data to mystery contractors, and you had zero say in who guards it, or what happens when they blow it.

Half of Texas just learned they were dependent on a company they never chose. The other 25 states working with Conduent should be asking: are they next?

It's time to make the invisible visible, before the next breach does it for them.

Aras Nazarovas is a Senior Information Security Researcher at Cybernews, a research-driven online publication. Aras specializes in cybersecurity and threat analysis. He investigates online services, malicious campaigns, and hardware security while compiling data on the most prevalent cybersecurity threats. Aras along with the Cybernews research team have uncovered significant online privacy and security issues impacting organizations and platforms such as NASA, Google Play, App Store, and PayPal. The Cybernews research team conducts over 7,000 investigations and publishes more than 600 studies annually, helping consumers and businesses better understand and mitigate data security risks.