[agents/model-providers] [xai-auth] bootstrap config fallback: no config-backed key found

title: "Intel Brief: Conduent Government Technology — Ransomware Attack State Services Breach" date: 2026-04-05 slug: conduent-government-technology-breach

Intel Brief: Conduent Government Technology — Ransomware Attack State Services Breach

Conduent, a major government technology company processing data for state agencies and government healthcare programs, publicly disclosed a confirmed ransomware attack that occurred in January 2025 and exposed personal information of tens of millions of Americans. The Safeway ransomware gang claimed responsibility for the attack and claimed to have stolen over 8 terabytes of sensitive data. Conduent's initial April disclosure significantly downplayed the breach scale, but subsequent notifications revealed far more extensive exposure than initially reported. Texas alone reported 15.4 million affected individuals (revised from initial 4 million estimate), Oregon reported 10.5 million affected, and hundreds of thousands more across additional states. The stolen data includes names, Social Security numbers, medical information, and health insurance details affecting millions of Americans dependent on state healthcare and government services. The breach represents a critical compromise of US government technology infrastructure and exposes tens of millions of citizens to identity theft, medical fraud, and long-term security risks.

What Happened

Conduent confirmed a ransomware attack that occurred in January 2025 and resulted in successful exfiltration of over 8 terabytes of sensitive government and healthcare data. The attack was claimed by the Safeway ransomware gang. Conduent's initial public disclosure in April 2026 significantly underestimated the breach scope, but subsequent investigations and state-level notifications revealed the true scale of exposure affecting tens of millions of Americans.

Confirmed Facts:

• Conduent is a government technology company
• Company processes data for multiple state agencies and government healthcare programs
• Attack occurred: January 2025
• Initial disclosure: April 2026 (15+ months after attack)
• Threat actor: Safeway ransomware gang
• Data stolen: 8+ terabytes
• Texas affected: 15.4 million individuals (revised from initial 4 million)
• Oregon affected: 10.5 million individuals
• Additional states: hundreds of thousands of notifications
• Total affected: tens of millions of Americans (exact total unclear due to scope)
• Initial disclosure significantly underestimated breach scope
• Conduent operates with limited public visibility; customers unaware data is processed by Conduent

Attack Timeline:

1. Initial Compromise (January 2025, specific date not disclosed): Safeway ransomware gang gained unauthorized access to Conduent systems.

2. Network Reconnaissance & Data Identification (January 2025): Attackers identified and mapped state agency and healthcare program data stored within Conduent infrastructure.

3. Large-Scale Data Exfiltration (January 2025): Over 8 terabytes of data was copied from Conduent systems to attacker-controlled infrastructure.

4. Ransomware Deployment (January 2025): Ransomware was deployed across Conduent systems for encryption and extortion.

5. Public Claim (January-April 2025): Safeway ransomware gang publicly claimed the attack.

6. Initial Disclosure (April 2026): Conduent publicly disclosed the breach with significant scope underestimation.

7. Scale Revelation (April 2026): Subsequent investigations revealed true extent of exposure (15.4M Texas, 10.5M Oregon, etc.).

8. Ongoing Notifications (April 2026): State-by-state notifications to affected individuals continued.

What Was Taken

Confirmed Data Exposure:

• Names
• Social Security numbers
• Medical information
• Health insurance details
• State agency records
• Government healthcare program data
• 8+ terabytes total volume

Inferred Data Exposure (based on state healthcare processing):

• Full legal names and aliases
• Complete Social Security numbers
• Dates of birth and age information
• Home addresses and contact information
• Phone numbers and email addresses
• Medical diagnoses and treatment history
• Medication records and prescriptions
• Health insurance policy numbers and details
• Medicare/Medicaid identification numbers
• State benefit eligibility and payment information
• Financial information linked to benefits
• Employment status and income verification
• Family relationships and dependent information
• Government program enrollment records

Sensitivity Assessment: CRITICAL. Government healthcare and state agency data includes:

• Complete personal identification enabling comprehensive identity theft
• Social Security numbers enabling fraudulent loans, credit applications, and tax fraud
• Medical information revealing health conditions enabling medical fraud and insurance scams
• Health insurance details enabling insurance fraud
• Government benefit information enabling benefit fraud
• Financial records linked to benefits enabling financial fraud
• Complete family and dependent information enabling family identity theft
• Combination of identifiers sufficient for comprehensive multi-state identity theft

Scale: Tens of millions of Americans affected across multiple states

Strategic Impact: The exposure enables:

• Comprehensive identity theft affecting tens of millions of Americans
• Medical identity fraud using exposed health and insurance information
• Healthcare fraud using medical and insurance records
• Government benefit fraud using eligibility and payment information
• Targeted social engineering using health condition information
• Fraudulent loans and credit applications using Social Security numbers
• Tax fraud using tax identification information
• Family-based fraud targeting dependents
• Multi-year fraud risk due to persistent nature of government records

Why It Matters

This attack represents a critical compromise of US government technology infrastructure serving state agencies and healthcare programs affecting tens of millions of American citizens and demonstrates the massive risk from ransomware attacks targeting government contractors.

Strategic Significance:

1. Government Infrastructure Compromise: Conduent processes data for state agencies and government healthcare programs across multiple states. The compromise affects fundamental government service delivery and citizen data security.

2. Massive Scale Exposure: The exposure of 15.4 million individuals in Texas alone, plus 10.5 million in Oregon, plus additional hundreds of thousands across other states represents tens of millions of Americans affected by a single breach.

3. Long-Term Identifier Exposure: Unlike credit card breaches where compromised cards can be replaced, Social Security numbers and health records are long-term identifiers that cannot be easily replaced, creating multi-year fraud risk.

4. Medical Information Compromise: The exposure of medical diagnoses and treatment information creates specialized fraud risk (medical identity fraud) and potential privacy violations regarding health conditions.

5. Hidden Attack Impact: Many affected individuals may not be aware Conduent processes their data, leading to delayed security responses and potentially extended attacker access window.

6. Initial Disclosure Failure: Conduent's April disclosure significantly downplayed the breach scope, indicating inadequate initial impact assessment and potential regulatory violations regarding timely and accurate breach notification.

7. Ransomware Operational Impact: The deployment of ransomware across government systems likely caused significant operational disruption to state agencies and healthcare programs beyond the data theft itself.

The Attack Technique

Specific attack methodology and initial access vector are not disclosed in available reporting.

Confirmed Facts:

• Safeway ransomware gang successfully compromised Conduent systems
• Attackers gained access to state agency and healthcare program data
• 8+ terabytes of data was successfully exfiltrated
• Ransomware was deployed across systems
• Attackers made public claims regarding attack

Not Disclosed: The source material does not provide details on:

• Initial access method (phishing, exploitation, compromised credentials, supply chain, etc.)
• Specific vulnerabilities exploited
• Duration of attacker access prior to detection
• Persistence mechanisms used by attackers
• Whether attackers remain in systems post-encryption
• Ransomware variant deployed
• Ransom demand amount
• Whether ransom was paid
• Safeway ransomware gang attribution and background

Attack chain indicates successful compromise of enterprise government contractor infrastructure.

What Organizations Should Do

For Conduent & Government Contractors:

1. Immediate Incident Response & Forensic Investigation — Conduct complete forensic analysis of all systems compromised in January 2025 attack; determine initial access vector; identify all data exfiltrated; determine whether attackers maintain persistence in systems.

2. Customer Notification & Remediation — Provide comprehensive notification to all affected state agencies and individuals; provide multi-year credit monitoring and identity theft protection for all affected citizens; establish dedicated support for fraud victims.

3. Government Data Security Hardening — Implement segmentation between different state agency data; restrict access to sensitive healthcare and benefit information; deploy continuous monitoring for unauthorized data access; implement data loss prevention tools.

4. Ransomware Recovery & System Restoration — Develop recovery strategy from clean backups; test recovery procedures; restore systems from known-clean backup points; ensure offline, immutable backups not accessible to attackers.

5. Government Compliance & Regulatory Coordination — Coordinate incident response with state attorneys general; notify federal law enforcement (FBI, CISA); assess compliance with HIPAA (healthcare data), GLBA (financial data), and state privacy laws; implement mandatory incident disclosure timelines.

6. Third-Party Government Contractor Security — Establish contractual security requirements for government data access; require SOC 2 Type II certification; mandate immediate incident notification; implement continuous security assessments; consider data minimization strategies.

For State Agencies & Government Programs:

• Audit all government contractors with access to citizen data
• Implement additional authentication controls for sensitive data access
• Monitor for fraudulent benefit claims and government program misuse
• Establish fraud detection for accounts matching breached records
• Implement identity verification improvements for benefit applications

For Affected Citizens (Tens of Millions):

• Place credit freeze with all three major credit bureaus
• Enroll in multi-year identity theft protection services
• Monitor credit reports for unauthorized accounts and inquiries
• Monitor Social Security number for fraudulent use (SSA website)
• Monitor for fraudulent government benefit claims in your name
• Be alert to phishing and social engineering targeting government program participants
• Monitor for fraudulent medical services and insurance claims
• Report any fraudulent activity to state agencies and law enforcement immediately

Sources: Conduent Data Breach: Millions Affected Across Multiple States (2026)