Conduent, a U.S. business process outsourcing firm spun off from Xerox, confirmed a data breach that it says has affected more than 10.5 million people, according to notifications filed with state attorneys general. The company provides digital platforms and services to governments and enterprises, employs about 56,000 people across 22 countries and reports annual revenue of $3.4 billion.
The company began sending data breach notifications to affected individuals this month. The largest single figure reported came from the Oregon government, which said 10.5 million people were affected. State filings also reported about 4 million people in Texas, 76,000 in Washington and a couple of hundred in Maine, and Conduent provides services to several other states where specific figures have not been published.
The notifications say exposed information included names, Social Security numbers, full dates of birth, health insurance policy or ID numbers and medical information. Conduent’s notice states that, as of Oct. 24, 2025, the time of its circulation, there is no evidence the stolen data has been “misused.”
Conduent disclosed earlier cybersecurity problems this year after a service outage; the company acknowledged the outage was caused by a cybersecurity incident and the Safepay ransomware gang later claimed responsibility for that event. In April the firm said in a Form 8-K filing that threat actors had stolen files containing customer information and data belonging to clients of its customers.
Investigators determined the environment was first compromised on Oct. 21, 2024, and the breach was discovered in January 2025. Notification letters recommend affected people obtain credit reports and consider placing fraud alerts and a security freeze on their accounts; Conduent did not offer identity-theft protection or credit monitoring services with the notices.
Conduent has not provided an exact nationwide total of people affected.