Conduent data breach among the largest in U.S. history

Third-party breach exposes healthcare data of at least 25 million people

Conduent is a global provider of backend data processing, including customer experience management, HR services, and AI automation, in addition to Medicaid and SNAP solutions for government organizations.  

Between October 2024 and January 2025, attackers infiltrated Conduent and stole the personal data of at least 25 million individuals, exposing highly sensitive personal and healthcare-related information, including Social Security numbers. As a major services provider for the government, healthcare, and insurance organizations, Conduent was entrusted with vast volumes of regulated health data.  

Conduent began disclosures to state regulators in January 2025 but did not begin directly notifying affected individuals until October of last year.  

The breach highlights the substantial impact on individual victims, who otherwise don’t have a say in who handles their sensitive data. Millions of individuals are now at risk of identity theft and other serious crimes as a result of this breach. Costs and consequences levied against the data host who suffered the breach, putting these victims at risk, are proportionately steep.

Although Conduent has not revealed exactly how the SafePay cybercrime group breached its network, those details would offer little comfort to the millions of people affected. Once sensitive data is handed to a third party, individuals have little ability to dictate how it should be protected. And once it is stolen, they have even less control over what happens next.  

Compared to the individual victims, Conduent’s business partners with integrations and network connections to their network may have fared better, assuming those connections were established with a Zero Trust mindset.

The far-reaching costs of a large-scale data breach

The cost of a breach grows with both the amount of data exposed and its relative sensitivity. When highly sensitive information is compromised, victims face life altering consequences despite having little say in where their data is stored in the first place.  

In sectors like healthcare and government services, individuals are often required to surrender this information to receive essential treatment or services, making the consequences of a breach particularly unfair and severe.

Costs to the individual victims

Identity theft and fraud risk

When personally identifiable information (PII) such as social security numbers, dates of birth, and addresses is exposed in a breach, affected individuals face a significant risk of identity theft and financial fraud.  

Unlike passwords or credit card numbers, many of these identifiers cannot be easily changed. Attackers can use this information to open new lines of credit, file fraudulent tax returns, and obtain loans, among other serious crimes.

Medical identity theft

Healthcare data exposure also enables medical identity theft, which can be particularly damaging. Criminals may use stolen insurance details to receive medical treatment, obtain prescription medications, or submit fraudulent insurance claims under someone else’s identity. Victims may not discover this activity until they receive unexpected bills, insurance denials, or discover inaccurate medical records.

Long-term personal harm

Even if stolen data is not immediately misused, it may circulate on underground marketplaces for years, where criminals purchase and resell data bundles for future exploitation. As a result, victims must remain vigilant long after the breach occurs, regularly monitoring credit reports, financial statements, and insurance records to detect suspicious activity.

Beyond financial risks, victims may face ongoing administrative and emotional burdens in protecting their identities. This can include:

• Placing credit freezes
• Disputing fraudulent accounts and charges
• Correcting inaccurate medical records

The time spent communicating with multiple organizations to resolve issues caused by the breach can extend beyond multiple years, forcing victims to carry the associated stress the whole way.

Costs to the data host (Conduent)

Financial impact

Large breaches incur significant direct financial costs. Immediate containment and remediation become expensive, especially without a prepared incident response team on duty.  

Legal costs immediately after remediation quickly stack up as the fallout settles and affected individuals and impacted business partners or other third parties seek damages from the breached data host.  

Many jurisdictions require breach notification campaigns to inform affected individuals, as well as credit monitoring and identity protection services for one or more years, which can become extremely expensive when millions of individuals are affected.

Operational disruption

Breaches can significantly disrupt an organization’s normal operations as IT and security teams shift their focus to incident response. Systems may need to be isolated, investigated, and rebuilt while forensic experts determine how the attackers gained access and what data was affected, even well after the breach has been contained.  

For service providers like Conduent, these disruptions can also impact client and partner operations that rely on their infrastructure to deliver their products or services.

Regulatory exposure and legal risk

Organizations that suffer breaches involving regulated data, such as healthcare records or Social Security numbers, face intense scrutiny from state or federal regulators.  

Authorities may investigate whether the organization maintained appropriate safeguards, access controls, and breach-detection procedures required by laws such as HIPAA and state data protection regulations. In addition to regulatory enforcement actions, companies frequently face expensive class-action lawsuits alleging negligence in protecting sensitive information.

Reputational damage

Perhaps the most difficult cost to quantify is the loss of trust that follows a high-profile breach.  

Clients, partners, and the public may question whether the organization can adequately safeguard sensitive information. For companies like Conduent that process large volumes of regulated data on behalf of other organizations, trust is a critical part of the business model.

What do to if a business partner is breached

Even with strong internal security practices, if a third-party vendor, service provider, or business partner connected to your network suffers a breach, an organization may find itself in the same position as Conduent's partners.  

To help prevent a breach like Conduent’s damaging your own organization, verify that each team or staff member listed below has implemented each corresponding security control, or is ready to practice each during a third-party security breach.

IT operations, infrastructure, and security engineering staff

• Restrict third-party system access to only the specific systems and data required for their services and enforce Just-in-Time access on their authentication credentials.
• Implement a DMZ or another network isolation technique to keep connected third parties on a separate network segment from the internal network.
• Ensure only approved executables and scripts can run with application allowlisting. Block unauthorized tools used for lateral movement or privilege escalation.

Governance, risk, and compliance (GRC) staff

• Use continuous monitoring techniques to regularly validate that only authorized users or service roles can access regulated datasets.
• Conduct both internal and third-party assessments of cybersecurity practices and require vendors to maintain specific security controls, breach reporting timelines, and audit rights.
• Limit the amount and sensitivity of data shared with partners to reduce exposure if they are compromised.
• Ensure logging and system telemetry meet audit and forensic requirements before an incident occurs.

Security operations center (SOC) and incident response teams

• Track authentication events and data access originating from vendor accounts or integrations.
• Rapidly isolate endpoints or disable compromised credentials upon learning that a connected third party suspects they have been compromised.
• Maintain centralized, immutable logs to support forensic investigations and regulatory reporting.

CISO and executive leadership

• Mandate enterprise-wide policy requiring application allowlisting on all servers and endpoints handling sensitive data.
• Implement a third-party risk management strategy that enforces evaluation and monitoring of the security posture of all connected business partners.
• Conduct realistic security incident tabletop exercises and live simulations to validate response coordination efficacy across IT, legal, and communications.

How ThreatLocker features help prevent the impacts of a third-party breach

Application Allowlisting

• Only pre-approved applications are permitted to run on endpoints interacting with vendor services, blocking unauthorized tools introduced through compromised integrations.
• Prevents attackers from executing malicious scripts, living-off-the-land tools, or reconnaissance software on endpoints accessible by third parties.

Ringfencing™

• Restricts how applications on endpoints accessed by third parties can interact with other processes, systems, or sensitive data repositories.
• Even if a legitimate vendor-facing application becomes compromised, Ringfencing prevents it from accessing unauthorized resources or initiating data exfiltration.

Zero Trust Cloud Access

• Block unmanaged devices and attacker infrastructure from silently inheriting access to critical SaaS applications.
• Enforce device-validated access to cloud and SaaS platforms, strengthening your security in the event a third-party vendor is breached.

Zero Trust Network Access

• Apply consistent segmentation policies across network-connected devices without relying on the perimeter.
• Prevents unauthorized internal scanning, lateral movement, or command-and-control communication originating from compromised machines.

Real-time threat detection (EDR) and MDR

• Detect abnormal activity and automatically block excessive writes, isolate affected machines, and shut down risky tools like PowerShell in seconds.
• Enforce predefined deny policies the moment suspicious privilege escalation or unusual IP connections are detected to reduce data theft and dwell time.
• 24/7/365 Managed detection and response powered by real-time threat detection.
• Dedicated Cyber Hero Team that verifies alerts, isolates devices, filters through false positives, and escalates only real threats.

Privilege access management

• Automatically removes old, unused administrative vendor accounts.
• Allows Just-in-Time, auditable privilege management only when explicitly authorized by your security team, preventing compromised vendor accounts from abusing administrative tools.

Data storage access control

• Restricts how sensitive data can be accessed, copied, or transferred by systems interacting with third-party services.
• Blocks unauthorized bulk data transfers or storage access attempts that could occur if a partner integration is compromised.

Conclusion  

Large-scale data breaches don’t happen because security teams lack the necessary tools and resources. They happen because organizations don’t deny applications or access by default. Without a Zero Trust approach to third-party connections, organizations remain at risk for compromise when those third parties are breached.

ThreatLocker Application Allowlisting and Ringfencing stop unauthorized processes before they can move laterally or access regulated, sensitive data, preventing breaches like Conduent’s at their earliest stages.

Schedule a demo today to see how ThreatLocker can prevent unauthorized execution, contain threats instantly, and protect your organization’s most sensitiv

‍