Conduent breach … does this remind you of OPM?

Hello gang,

Some years back, we talked and blogged about the OPM breach. Since OPM can be found in various discussions including our recently released podcast 268, I’ll let you go and get coverage by searching OPM or OPM breach on the blog.

Seems like Conduent may be in the same position as OPM was.

“What do you mean?” you might ask.

A lot of people, including those who may be disabled, might be receiving services from the company, even though you signed up through your state agency for the service. It may include Medicare or Medicade, Snap, or some other benefit.

The beginning of the article says:

The Conduent breach has quietly grown into one of the biggest third?party data incidents in US history, and the real story now is how many different programs and employers are swept up in it, even for people who have never heard of Conduent.

When we first covered this incident, public filings suggested roughly 10.5 million affected individuals, heavily concentrated in Oregon and a few other states. Fresh state notifications reportedly put the total at more than 25 million people across the US, with Texas alone jumping from an early estimate of about 4 million to 15.4 million residents impacted, and Oregon holding at around 10.5 million.

This should probably not surprise us, because as I already said, this reminds me of the OPM breach in a way, just search it out and let me know if you can figure out what might be related.

This might help you a little bit, but we’ll let you see. The paragraph I’m taking from this time says:

State benefit programs such as Medicaid, SNAP (Supplemental Nutrition Assistance Program), and other government payment disbursements in more than 30 states.
Mailroom, printing, and payment processing for state benefit offices and healthcare programs, including large health insurers like Blue Cross Blue Shield plans.
Corporate services for major employers, including at least one large automotive manufacturer; nearly 17,000 Volvo Group employees are confirmed among those whose data was exposed.

According to another paragraph, the gang that calls themselves “Safeway” is claiming responsibility. Like other incidents, all I can say is that we’ll see how true this is … especially since I’ve never heard of the group.

Stop me if you’ve seen this before.

The stolen data goes far beyond contact details. Notification letters and regulator filings describe:

• Full legal names, postal addresses, and dates of birth.
• Social Security numbers and other government identifiers.
• Medical information, health insurance details, and related claims data.

Just like OPM, who is completely different, this agency seems to have a lot of data. And if I’m to guess, since we’re learning the number of people is growing, I expect this to go up.

There are three reasons why this follow?up story is more serious than the original:

• More people are involved: The raw numbers climbed from 10 million to 25 million as more states and corporate clients disclosed involvement, showing how opaque third?party breaches can be at the start.
• Forever identifiers: SSNs plus medical and insurance data enable long?tail identity theft, medical fraud, and highly targeted phishing that can haunt victims for years.
• Third-party blind spot: For many covered entities, “the breach” will never show up in their own logs because the compromise happened in a vendor’s environment they rely on but do not control.

I think the third item is worth repeating again, because it shows that companies are not paying attention to how much data they have, especially when it comes to third party relationships. That third item alone says:

Third-party blind spot: For many covered entities, “the breach” will never show up in their own logs because the compromise happened in a vendor’s environment they rely on but do not control.

Since companies use srvices like OPM or even Conduent in this case, mauybe its time to find out what safeguards are involved in protecting this data.

Picture smart, a feature of Jaws says:

The image shows a formal letter from Conduent Business Services, LLC dated December 31, 2025, addressed to an individual, informing them of a data breach incident. It outlines the discovery of unauthorized access to personal information between October 21, 2024, and January 13, 2025, affecting network files with names, addresses, and Social Security numbers. The letter explains actions taken to secure systems, offers 12 months of free credit monitoring, and provides contact details for further assistance and steps to protect personal information.

When asking for more informatoion, Claud and Chat GPT are used to give us details.

Here’s what Chat GPT says:

The image is a letter from Conduent Business Services, LLC, dated December 31, 2025, addressed to an individual whose name and address at the top have been blacked out for privacy.

The letter is titled “Re: Notice of Data Incident” and serves to inform the recipient about a data incident involving potential unauthorized access to their personal information.

Key points from the letter:

1. Conduent Business Services, LLC provides various services such as third-party printing/mailroom, document processing, payment integrity, and other support services to its clients.

2. On January 13, 2025, Conduent discovered they were victims of a cyber incident that affected a limited part of their network.

3. The investigation revealed unauthorized third-party access to their environment related to current or former health plan information between October 21, 2024, to January 13, 2025.

4. The affected files included the recipient’s name, address, and Social Security number. Conduent states there is presently no evidence or indication of actual or attempted misuse of the recipient’s personal information.

5. Conduent has secured their systems, performed detailed analyses with internal and external experts, restored operations, notified law enforcement, and is providing credit monitoring and identity restoration services through Epiq for 12 months at no charge to the recipient.

6. The letter includes instructions on a separate document titled “Steps You Can Take to Help Protect Your Information,” which provides information on protecting personal data, activating services, and monitoring credit reports.

7. Contact information is provided for further assistance: a dedicated assistance line at 877-332-1658 (toll-free), available Monday-Friday from 9 a.m. to 9 p.m. Eastern Time, and a mailing address for writing: Data Incident, 100 Campus Drive, Suite 200, Florham Park, New Jersey 07932.

The letter is signed by Conduent Business Services, LLC.

The letter may be different than what’s shown, depending on what’s taken.

The article from Malwarebytes that Nick sent is titled The Conduent breach; from 10 million to 25 million (and counting) which I urge everyone in this community to read. This can’t be good. I think its going to get worse.

Thanks so much for reading, make it a great day!