Conduent — SafePay ransomware (govtech contractor)

Conduent Business Solutions is one of the largest back-office processors of US public-sector data that most Americans have never heard of. It runs claims and eligibility systems for state Medicaid programmes, administers child-benefit and food-assistance portals, processes toll-road transactions, and provides outsourced human-resources and customer-service functions for state agencies and several large health insurers. Its data custody is, in practice, a quiet utility layer underneath US government services. On 13 January 2025 that utility layer went dark when SafePay deployed ransomware inside Conduent’s environment, took several days of operations offline, and demanded payment.

The intrusion itself had begun nearly three months earlier. SafePay first gained unauthorised access on 21 October 2024 and remained resident in the network for 84 days before encrypting anything. During that period the attackers exfiltrated approximately 8 terabytes of data — by some counts around eight million documents — including names, dates of birth, addresses, Social Security numbers, medical records and health-insurance details. The dataset spanned multiple Conduent customer accounts and multiple state programmes, which is why the eventual notification scope crossed jurisdictional lines so visibly.

The technical access path is consistent with SafePay’s wider tradecraft pattern. Threat-intelligence reporting from ThreatLocker, Check Point and Picus Security characterises the group’s preferred initial-access vector as compromised credentials against externally exposed VPN gateways or RDP servers, frequently against edge devices that allow local-account authentication without multi-factor enforcement. Once inside, the crew leans heavily on living-off-the-land tooling — PSExec, WinRM, native RDP and pre-installed RMM agents — to move laterally without dropping novel malware that endpoint detection would catch. Endpoint protection is then disabled, shadow copies are removed, and logs are cleared ahead of encryption. Conduent has not publicly attributed its specific access vector to one particular gateway, but the shape of the intrusion fits SafePay’s playbook closely enough that any UK financial-services firm reviewing its own VPN-MFA estate should treat this incident as the worked example.

What is unusual about Conduent inside that playbook is the dwell time. SafePay typically transits from initial access to encryption in under twenty-four hours, according to Q3 2025 ransomware-pattern analysis from Dragos. Eighty-four days is roughly an order of magnitude longer than the group’s median dwell. The most plausible explanation is the value of the data itself: 8 TB is a lot to exfiltrate quietly, and the regulated character of Medicaid and health-insurance records made the data leg of the double-extortion model more lucrative than the encryption leg. Whoever sat inside Conduent prioritised exfiltration over speed, which means there were roughly twelve weeks of sustained outbound data egress on a contractor-segment network that should, in principle, have triggered volumetric anomaly detection long before ransomware ever fired.

The timeline of disclosure is the second part of the story, and the part that has carried Conduent into a class-action defence rather than a typical post-incident recovery posture. Conduent disclosed the operational disruption to the SEC in late January 2025. It told most regulators, customers and affected individuals very little for the rest of the year. Its initial public estimate, reported through October 2025, was that around four million people had been affected. State-by-state attorney-general filings made through late 2025 and early 2026 progressively revised that figure: Texas filed for 15.4 million residents impacted, Oregon for 10.5 million, and the cumulative national total now sits at more than 25 million Americans. Notification letters to most affected individuals were not postmarked until 24 October 2025 — nine months after Conduent’s own incident-response programme had identified the encryption event, and almost a year after the initial intrusion. Some recipients did not actually receive their letters until January 2026. On 22 February 2026 the Texas Attorney General opened a formal probe, framing the breach in language reserved for the most material incidents on his desk. The same week, Reuters and Bloomberg coverage began treating the breach as potentially the largest US healthcare-related data exposure ever disclosed, depending on how the medical-data portion of the record set is ultimately classified.

The litigation picture is the third leg. More than thirty-five proposed class actions have been filed against Conduent across multiple US federal districts, all of which have now been consolidated in the District of New Jersey under Judge Michael A. Hammer. The court appointed an eight-member Plaintiffs’ Steering Committee on 22 December 2025. The plaintiffs’ theories cluster around negligence, negligence per se, breach of third-party beneficiary contract, and unjust enrichment, with the notification delay forming the spine of the breach-of-contract count. Conduent’s published response-cost figure is approximately $25 million, partly covered by cyber insurance, with no claimed material operational impact — a number that would suggest the company expects the eventual cost envelope to be dominated by settlement and regulatory penalty exposure rather than direct response and remediation.

The defender takeaway is uncomfortable for any regulated firm that relies on third-party processors for back-office operations on regulated data. Conduent is the worked example of what happens when a critical contractor sits one layer underneath your regulated estate and the threat actor knows it. Three controls would have meaningfully limited this incident’s blast radius regardless of the initial-access specifics. The first is mandatory multi-factor enforcement on every externally exposed VPN, RDP and remote-administration entry point, with no exceptions for legacy local accounts. The second is sustained outbound-egress volumetric detection on contractor-segment networks: 8 TB over twelve weeks is roughly 100 GB per day of sustained exfiltration, which is detectable by any halfway-competent network-telemetry programme if anyone is looking. The third is segmentation between contractor-data-custody environments and contractor-corporate IT, so that a compromise of the latter does not collapse into bulk access to the former. For UK and Australian financial-services firms reading this through a DORA, SS2/21 or APRA CPS 234 lens, the read-across is now direct rather than hypothetical: the regulated entity remains accountable for the third party’s controls, and “we used a contractor” is not a defence the courts in this case are accepting.

The Conduent case will set the bar for how the next round of US state-level breach-notification deadlines is interpreted, and the New Jersey litigation will, if it reaches a substantive ruling, define the legal weight of the GLBA-and-HIPAA-by-contract obligation chain. It is also the cleanest single example to date of why a govtech back-office vendor is, in cyber-resilience terms, no less critical than a Tier-1 cloud provider.