[agents/model-providers] [xai-auth] bootstrap config fallback: no config-backed key found

title: "Intel Brief: Conduent Government Technology — Safeway Ransomware Breach" date: 2026-04-04 slug: conduent-government-tech-millions-data-breach

Intel Brief: Conduent Government Technology — Safeway Ransomware Breach

In January 2025, the Safeway ransomware gang successfully breached Conduent, a major government technology company that processes sensitive data for state agencies and government healthcare programs across the United States. The attackers claimed to have stolen over 8 terabytes of data and demanded ransom. Conduent's initial public disclosure in April 2026 significantly downplayed the breach's scope, but subsequent state notifications revealed the attack affected tens of millions of Americans. Texas alone reported 15.4 million affected residents (revised upward from initial reports of 4 million), Oregon reported 10.5 million affected individuals, with hundreds of thousands more notifications across additional states. The breach exposed names, Social Security numbers, medical information, and health insurance details — creating catastrophic risk for identity theft, medical fraud, and targeted scams. The incident represents one of the largest breaches of US government-related data infrastructure and demonstrates systemic vulnerabilities in how states manage sensitive citizen data through third-party technology providers.

What Happened

Safeway ransomware group successfully compromised Conduent's systems in January 2025, encrypting critical infrastructure and exfiltrating massive volumes of sensitive government and healthcare data. Conduent operates as a critical back-office technology provider for state agencies and government programs across multiple states, making the compromise of its systems a direct breach of state government data infrastructure. The company's initial public disclosure in April significantly underestimated the scope of the breach; subsequent state notifications to citizens revealed far greater impact than initially disclosed.

Confirmed Facts:

• Conduent is a major government technology company processing state agency and healthcare program data
• Breach occurred in January 2025
• Safeway ransomware gang claimed responsibility
• Over 8 terabytes of data claimed stolen
• Initial disclosure: April 2026 (downplayed impact)
• Texas: 15.4 million residents notified (revised upward from 4 million)
• Oregon: 10.5 million residents affected
• Hundreds of thousands more across additional states
• Total affected individuals: Tens of millions of Americans
• Data includes: names, Social Security numbers, medical information, health insurance details
• Conduent processes data for multiple state agencies and government healthcare programs
• True scope of breach potentially even larger than currently disclosed

Attack Timeline:

1. Initial Compromise (January 2025): Safeway gained unauthorized access to Conduent systems.

2. Network Penetration & Reconnaissance (January-March 2025): Attackers moved through systems to identify valuable data across state agencies and healthcare programs.

3. Data Exfiltration (January-March 2025): Over 8 terabytes of sensitive data copied to attacker-controlled infrastructure.

4. Encryption & Ransom Demand (January 2025): Ransomware deployed; ransom demand issued.

5. Initial Public Disclosure (April 2026): Conduent disclosed breach with downplayed impact estimates.

6. State Notifications & Scope Revelation (April 2026): States notified citizens; true scope of breach became apparent through cumulative state notifications.

What Was Taken

Confirmed Data Exposure:

• Names and personal identifiers
• Social Security numbers
• Medical information and health records
• Health insurance details and coverage information
• Government program enrollment and benefit information
• Over 8 terabytes total data volume

Geographic Scope:

• Texas: 15.4 million residents
• Oregon: 10.5 million residents
• Hundreds of thousands across additional states
• Total affected: Tens of millions of Americans

Sensitivity Assessment: Critical. Government and healthcare data includes:

• Social Security numbers enabling identity theft and fraud
• Complete medical histories and diagnoses
• Health insurance and benefit program enrollment
• Mental health and psychiatric records
• Substance abuse treatment information
• Government assistance and welfare program participation
• Personal contact information and addresses
• Employment and income records
• Dependent and family relationship information
• Information sufficient for medical fraud, identity theft, and targeted social engineering

Strategic Impact: The exposure of this data enables:

• Identity theft targeting tens of millions of citizens
• Medical fraud and fraudulent healthcare claims
• Government benefits fraud and false enrollment
• Targeted phishing and social engineering
• Sale of data on dark web marketplaces
• Compilation of complete personal profiles for criminal exploitation

Why It Matters

This breach represents a catastrophic failure of US government data security and demonstrates how critical infrastructure vulnerabilities exist in third-party government technology providers that process sensitive citizen data at massive scale.

Strategic Significance:

1. Government Infrastructure Compromise: Conduent operates as critical back-office infrastructure for multiple state governments. The compromise of Conduent systems represents a direct compromise of government data systems serving tens of millions of citizens.

2. Exponential Data Aggregation: Conduent aggregates data from multiple state agencies and healthcare programs in centralized systems. A single compromise exposes sensitive information across entire state ecosystems.

3. Public Disclosure Failure: Conduent's downplayed initial disclosure followed by subsequent state notifications indicating far greater impact suggests inadequate communication with state partners and potentially intentional minimization of breach severity.

4. Unaware Citizens: Many Americans may not even know their data is processed by Conduent, limiting their ability to respond proactively to the breach.

5. Long-Term Identifiers: Unlike credit card breaches, SSNs and medical records are long-term identifiers that cannot be easily replaced, creating permanent identity theft and fraud risk.

6. Systemic Vulnerability: The breach exposes systemic vulnerabilities in how states outsource critical data processing to third-party vendors without adequate security requirements or oversight.

The Attack Technique

Specific attack methodology and initial access vector are not fully disclosed in available reporting.

Confirmed Facts:

• Safeway ransomware group deployed ransomware successfully against Conduent systems
• Data was exfiltrated prior to encryption
• Ransom demand was issued

Threat Actor Context:

• Safeway is a financially motivated ransomware group
• Demonstrated capability to target government infrastructure and technology providers
• Employs data extortion tactics with threat of public leakage

Not Disclosed: The source material does not provide details on:

• Initial access method (phishing, exploitation, compromised credentials, supply chain attack, insider access, etc.)
• Specific vulnerabilities exploited
• Persistence mechanisms used by Safeway
• Timeline from initial compromise to full data exfiltration
• Whether state government systems had network isolation from Conduent infrastructure
• Whether ransom was paid or data published

Attack chain and detailed methodology remain unknown in available reporting.

What Organizations Should Do

For Conduent & Government Technology Providers:

1. Complete Forensic Investigation & Scope Assessment — Conduct immediate forensic analysis of all compromised systems; determine exact scope of data exposure across all state agencies and programs served; provide complete accounting to affected states and citizens.

2. Citizen Notification & Identity Protection — Establish comprehensive notification program to all affected citizens; provide at least three years of credit monitoring and identity theft protection services; establish dedicated support line and website for affected individuals.

3. State Agency Notification & Remediation — Contact all state agencies whose data was compromised; provide forensic reports and indicators of compromise; coordinate remediation and security enhancement plans; assess potential breach notification law violations.

4. Ransomware Decryption & Recovery — Work with cybersecurity forensics firms to develop recovery strategies; do not rely on ransom payment for decryption keys; maintain offline, immutable backups for system recovery.

5. Third-Party Access Control Overhaul — Implement zero-trust architecture for all government agency integrations; require multi-factor authentication and encryption for all data transfers; implement immutable audit logging for all data access and exports.

6. Regulatory & Legal Compliance — Coordinate with state attorneys general and federal agencies regarding breach notification obligations; prepare for regulatory investigations and potential enforcement actions; assess liability for inadequate data security.

For State Governments & Government Agencies:

• Immediately audit all data access logs to identify unauthorized access by Safeway attackers
• Assume all data processed by Conduent between January-April 2025 was accessed by threat actors
• Implement additional security monitoring for citizens' accounts and benefit programs
• Revise contracts and service agreements with technology vendors to require enhanced security
• Assess vulnerability of other government technology vendors

For Affected Citizens (Tens of Millions):

• Enroll in credit monitoring and identity theft protection services
• Place fraud alerts with credit bureaus
• Consider credit freezes to prevent fraudulent account opening
• Monitor financial accounts and government benefits for unauthorized activity
• Be alert to phishing targeting government benefit recipients
• Monitor for fraudulent healthcare claims or medical identity theft

For US Government & Federal Cybersecurity Authorities:

• Assess vulnerability of federal government data held by technology contractors
• Develop standards for critical government technology provider security requirements
• Coordinate investigation with law enforcement regarding Safeway ransomware operations
• Prepare federal response to this level of government data exposure

Sources: Conduent Data Breach: Millions Affected Across Multiple States (2026)