Conduent/SafePay: 25M Americans Exposed in 84-Day Ransomware Dwell Largest US Government Data Breach

• .What: SafePay ransomware group breached Conduent Business Services, exfiltrating 8.5 terabytes of government benefits, healthcare, and personal data over an 84-day dwell period.
• .Who: Conduent Business Services (NASDAQ: CNDT, $3.36B FY2024 revenue, ~56,000 employees). 25M+ Americans affected across 30+ states - primarily Medicaid recipients, SNAP beneficiaries, child support payees, and commercial health insurance members.
• .How: Initial access via compromised VPN credentials. Post-exploitation credential harvesting from LSASS via Mimikatz. Lateral movement via PsExec. Data exfiltration of 8.5TB over 84 days. SafePay ransomware deployment.
• .Data: Names, Social Security numbers, dates of birth, residential addresses, medical records, health insurance details, treatment information, diagnoses and treatment codes, claims data, provider names, dates of service.
• .Actor: SafePay - centralized (non-RaaS) ransomware group using modified LockBit code, emerged September 2024, 400+ claimed victims as of early 2026. Assessed as Russian-nexus based on Cyrillic keyboard locale checks.
• .Impact: $25M in disclosed breach response costs. 35+ federal class action lawsuits (consolidated in NJ federal court). Texas AG investigation with Civil Investigative Demands. Government service disruptions in Wisconsin and Oklahoma. Affected clients include BCBS Texas, BCBS Montana, Humana, Premera Blue Cross, Elevance/Anthem, and Volvo Group.

On October 21, 2024, SafePay operators used compromised VPN credentials to gain initial access to Conduent's corporate network.

Conduent has not disclosed which VPN product was compromised, whether multifactor authentication was enforced on the gateway, or how the credentials were obtained - though SafePay's established playbook relies on credential exposure from infostealer logs, brute-force attacks against VPN appliances, and exploitation of known VPN vulnerabilities.

Once inside, the attackers followed a methodical post-exploitation sequence.

They likely scraped administrative credentials from the Local Security Authority Subsystem Service (LSASS) process using tools such as Mimikatz and Procdump - consistent with SafePay's documented TTPs, though specific tooling has not been confirmed in Conduent's forensic disclosures.

This technique extracts plaintext passwords, NTLM hashes, and Kerberos tickets from system memory. A single compromised administrator account with broad access to production data gave the attackers unconstrained authority to move laterally and stage data for exfiltration.

The attackers used PsExec to propagate across the network, connecting to additional systems before beginning data collection.

SafePay operators then exfiltrated approximately 8.5 terabytes of data - roughly 8 million documents - from Conduent's environment.

Based on SafePay's known TTPs documented by Bitdefender and Huntress, the group typically uses WinRAR for data compression and FileZilla for exfiltration.

The attackers accessed files containing protected health information, personally identifiable information, and government benefits data associated with Conduent's clients across more than 30 states.

Conduent detected the intrusion on January 13, 2025 - 84 days after initial access. The detection came only after the attack caused an "operational disruption" that impacted Conduent's network and triggered service outages visible to its government clients.

In Wisconsin, the Department of Children and Families reported that child support payments to thousands of families were delayed. Oklahoma's Human Services Department acknowledged similar processing disruptions.

EBT (Electronic Benefits Transfer) services in both states experienced outages tied to the breach.

SafePay claimed responsibility for the attack in February 2025, listing Conduent on its Tor-based and TON-based data leak sites. The group asserted it had stolen 8.5 terabytes of sensitive data and threatened to publish it unless a ransom was paid.

Conduent was subsequently removed from the SafePay leak site - a pattern that typically indicates a ransom payment or negotiated resolution. Conduent has neither confirmed nor denied making any payment.

Conduent filed SEC Form 8-K on April 14, 2025 - three months after discovering the breach and six months after the initial intrusion.

The filing disclosed that an unauthorized third party had accessed "a limited portion" of the company's environment between October 21, 2024, and January 13, 2025. Conduent initially reported no material operational impact.

That characterization would prove dramatically inaccurate.

Conduent began sending notification letters to affected individuals on October 8, 2025 - nearly a year after the breach occurred and nine months after discovery. The initial victim count reported to state attorneys general was approximately 10.5 million.

That number began growing almost immediately.

In Texas, the initial notification reported approximately 4 million affected residents.

By February 2026, that figure had been revised upward to 15.4 million - nearly half the state's population - indicating the breach extended far beyond Medicaid recipients to include commercial health insurance members processed through Conduent's systems, particularly Blue Cross Blue Shield of Texas.

Oregon's attorney general reported 10.5 million affected individuals - more than the state's entire population of approximately 4.2 million - suggesting the breach captured historical records, deceased individuals' data, and records for people who had moved out of state.

Additional state notifications followed: New Hampshire saw its count grow from 11,000 in October 2025 to more than 181,000 by February 2026, after four successive supplemental notification letters. Montana reported 462,000 affected individuals through BCBS Montana.

Indiana reported 5,892. Maine reported 374. Notification letters have also been sent to residents in California, Delaware, Massachusetts, New Mexico, Vermont, and other states. Conduent expects to complete all consumer notifications by April 15, 2026.

The evolving victim count - from 10.5 million to 25 million and still counting - reflects a fundamental failure in Conduent's initial forensic scoping. The company either did not understand what data it held, did not understand what was accessed, or both.

Conduent is a third-party data processor - meaning the organizations whose data it holds are the ones whose customers, employees, and beneficiaries are exposed. The confirmed affected clients include:

• .Blue Cross Blue Shield of Texas (BCBSTX) - the state's largest health insurer
• .Blue Cross Blue Shield of Montana - 462,000 individuals notified
• .Blue Cross Blue Shield of Illinois
• .Blue Cross Blue Shield of New Mexico
• .All four BCBS plans above are owned by Health Care Service Corp. (HCSC)
• .Humana
• .Premera Blue Cross
• .Elevance Health (parent company of Anthem) - Virginia state employees enrolled in Anthem plans were notified in December 2025
• .Wisconsin Department of Children and Families - child support payment processing
• .Oklahoma Human Services - benefits processing
• .Volvo Group North America - 17,000 employees' data exposed (Volvo learned of the impact in January 2026, a full year after Conduent discovered the breach)

Conduent provides mailroom, printing, payment processing, claims administration, and other back-office services. Most affected individuals had no idea Conduent had their data.

They signed up for Medicaid, enrolled in employer health insurance, or applied for SNAP benefits - and Conduent was the invisible processor behind the scenes.

SafePay is a centralized ransomware operation that emerged in September 2024 and became one of the most active threat groups globally by mid-2025. As of early 2026, the group has claimed more than 400 victims.

SafePay operates as a closed, non-RaaS (Ransomware-as-a-Service) organization. Unlike groups such as LockBit, BlackCat/ALPHV, or RansomHub, SafePay does not recruit affiliates, does not advertise on dark web forums, and does not market its ransomware to other criminals.

This centralized model is unusual - it suggests a technically capable core team that does not need to outsource operations.

SafePay's ransomware binary is based on a modified version of LockBit's late-2022 source code (LockBit Black), which was leaked in September 2022 by a disgruntled developer.

However, SafePay has incorporated elements from other ransomware families including ALPHV and INC Ransom, and its encryption implementation uses ChaCha20 with a unique symmetric key per file plus an embedded ransomware key. safepay" extension.

The group's TTPs are well-documented by Bitdefender, Huntress, Halcyon, Check Point, and Blackpoint Cyber:

• .Initial Access: VPN exploitation, compromised RDP credentials, brute-force attacks, social engineering (impersonating IT staff to deploy remote management tools)
• .Credential Harvesting: Mimikatz, Procdump (LSASS scraping)
• .Reconnaissance: ShareFinder.ps1
• .Lateral Movement: PsExec
• .Data Staging: WinRAR for compression
• .Exfiltration: FileZilla
• .Defense Evasion: Living-off-the-land binaries (LOLBins) to disable Windows Defender, SELinux, and endpoint protection
• .Anti-Recovery: Volume shadow copy deletion, log clearing
• .Communication: Tor and TON (The Open Network) infrastructure

SafePay detects Cyrillic keyboard configurations and halts execution on systems with Russian-language locales - a reliable indicator of Russian-nexus operations, consistent with the threat actor's desire to avoid targeting entities within Russia or CIS countries.

The group targets primarily small and mid-sized businesses and managed service providers in North America and Western Europe. In June 2025, SafePay topped Bitdefender's monthly threat rankings after claiming 73 victims in a single month - followed by 42 more in July.

The Conduent breach, however, represents an order-of-magnitude escalation in both target size and victim impact.

Notable prior SafePay victims include Microlise (UK logistics tech firm, October 2024, 1.2TB exfiltrated) and Ingram Micro (US IT distribution, July 2025, compromised via stolen GlobalProtect VPN credentials through password spraying).

The stolen data includes:

• .Full names
• .Social Security numbers - permanent identifiers that cannot be changed and enable identity theft, tax fraud, and benefits fraud
• .Dates of birth
• .Residential addresses
• .Medical records - including diagnoses, treatment codes, and provider names
• .Health insurance details - plan information, member IDs, coverage details
• .Treatment information - dates of service, procedures, medications
• .Claims data - insurance claim details, payment amounts, billing codes
• .Government benefits data - Medicaid enrollment, SNAP participation, child support records

The combination of SSNs with medical records and government benefits data creates a uniquely dangerous exposure. SSNs enable financial identity theft. Medical records enable insurance fraud and targeted social engineering.

Government benefits data reveals economic vulnerability - information that can be used for predatory targeting. None of this data can be "changed" in the way a password or credit card number can be rotated. The exposure is permanent.

1. VPN gateway compromise without adequate MFA. SafePay gained initial access through compromised VPN credentials.

Whether the credentials were obtained through infostealer malware, brute-force attacks, or credential stuffing, the result is the same: the VPN gateway either lacked multifactor authentication entirely or relied on phishable MFA (SMS, TOTP) that SafePay was able to bypass.

A FIDO2 hardware key requirement on VPN access would have blocked this entry point.

2. No detection of credential harvesting from LSASS. The attackers scraped administrative credentials from LSASS using Mimikatz and Procdump - a technique that has been documented since at least 2011 and is one of the most commonly observed post-exploitation actions in ransomware incidents.

Modern EDR solutions detect LSASS access patterns. Windows Credential Guard prevents plaintext credential extraction from LSASS. Neither control appears to have been in place or functioning.

3. Overprivileged administrator accounts. A single compromised administrator account provided "unconstrained authority" to access production data across Conduent's environment.

This indicates a failure of least-privilege access controls: no role-based access restrictions, no just-in-time access provisioning, and no separation between administrative credentials and production data access.

4. No effective network segmentation. The attackers moved laterally from the initial VPN entry point to systems containing sensitive government benefits data, healthcare records, and personally identifiable information across dozens of state programs.

Proper network segmentation would have contained the breach to a limited network zone. Instead, the attackers had 84 days of unrestricted lateral movement.

5. No detection of 8.5TB data exfiltration. Conduent's network monitoring failed to detect the exfiltration of 8.5 terabytes of data - the equivalent of roughly 8 million documents - over an extended period.

Data loss prevention (DLP) controls were either absent, misconfigured, or incapable of detecting large-scale outbound data transfers. Network traffic analysis should have flagged anomalous data volumes to external destinations.

6. 84-day dwell time. The attackers operated inside Conduent's network for nearly three months before detection. The breach was discovered only because the ransomware deployment caused visible service disruptions - not because of proactive threat detection.

This dwell time far exceeds the 2023 median of 10 days reported by Mandiant (11 days in 2024 per M-Trends 2025) and indicates a fundamental gap in Conduent's security monitoring, threat hunting, and incident detection capabilities.

7. Catastrophic forensic scoping failure. The initial victim count of 10.5 million more than doubled to 25 million+ as Conduent's forensic investigation progressed - and the number is still growing.

Either Conduent did not maintain adequate data inventories to know what information it held and where, or its incident response team failed to scope the breach accurately during initial forensics. Both failures compounded the regulatory and notification burden.

• .HIPAA (Health Insurance Portability and Accountability Act) - The breach exposed protected health information (PHI) including medical records, diagnoses, treatment codes, and health insurance details. HIPAA requires covered entities and business associates to report breaches affecting 500+ individuals to HHS within 60 days of discovery. Conduent is a business associate of multiple HIPAA-covered entities. Fines range from $141 to $2,134,831 per violation category per year, with the HHS Office for Civil Rights (OCR) having broad enforcement authority. The 84-day dwell time and nine-month notification delay will face intense scrutiny.

• .CCPA/CPRA (California Consumer Privacy Act / California Privacy Rights Act) - California residents' data was exposed. CCPA provides a private right of action for data breaches resulting from failure to implement reasonable security measures, with statutory damages of $100-$750 per consumer per incident. With potentially hundreds of thousands of California residents affected, statutory damages alone could reach hundreds of millions of dollars. Intentional violations carry fines of $7,500 per violation.

• .SEC Disclosure Rules (8-K Item 1.05) - Conduent filed Form 8-K on April 14, 2025. The SEC requires disclosure of material cybersecurity incidents within four business days of determining materiality. The three-month gap between breach discovery (January 13, 2025) and SEC filing (April 14, 2025) will be scrutinized for whether Conduent determined materiality in a timely manner, particularly given the immediate service disruptions to government agencies.

• .FTC Act Section 5 - Unfair or deceptive trade practices. Conduent's failure to implement basic security controls - MFA, network segmentation, LSASS protection, DLP - while processing data for 100 million+ Americans may constitute unfair practices under Section 5. The FTC has pursued consent decrees and multi-million dollar settlements against companies with similar security failures.

• .State Breach Notification Laws (All 50 States) - SSN exposure triggers mandatory breach notification in all 50 US states. Conduent's notification timeline - beginning in October 2025, nearly a year after the breach - will be challenged in multiple jurisdictions. Texas requires notification within 60 days of discovery. The Texas AG's investigation specifically examines notification timeliness.

• .Texas Medical Records Privacy Act / Texas Identity Theft Enforcement and Protection Act - Texas AG Paxton's Civil Investigative Demands to Conduent and BCBS Texas invoke state-level enforcement authority. Texas can impose penalties of up to $250,000 per violation of the Identity Theft Enforcement and Protection Act.

• .Gramm-Leach-Bliley Act (GLBA) - If Conduent processes financial data for any banking or financial institution clients, the Safeguards Rule requires implementation of a comprehensive information security program. Failure to comply exposes both Conduent and its financial-sector clients to regulatory action.

• .State AG Enforcement - Multiple state attorneys general beyond Texas are scrutinizing the breach. Montana has initiated investigations related to BCBS Montana's 462,000 affected individuals. The multi-state nature of the breach may trigger coordinated enforcement similar to the Equifax settlement.

Several critical questions remain unanswered:

• .Ransom payment: Conduent was removed from SafePay's leak site, strongly suggesting a ransom was paid or the data was sold. Conduent has not disclosed whether payment was made. If ransom was paid, the amount is unknown.
• .Initial credential source: How were the VPN credentials compromised? Infostealer malware, brute force, credential stuffing, or a prior supply chain compromise? This determines whether other organizations using similar VPN configurations are at risk.
• .VPN product and configuration: Which VPN product was in use? Was MFA enforced? What authentication protocols were configured?
• .Data on dark web: Has the stolen data been published, sold, or distributed beyond SafePay's original threat? The removal from the leak site may mean the data is not publicly available - or it may mean it was sold privately.
• .Final victim count: The 25 million figure continues to grow with each supplemental notification. Oregon's 10.5 million affected exceeds the state's current population, indicating historical records are included. The true scope may not be known until 2027 or later.
• .FBI investigation status: No public updates have been issued regarding any federal criminal investigation into SafePay's operations.

1. Enforce phishing-resistant MFA on all VPN gateways. FIDO2 hardware security keys (e.g., YubiKey 5 series) should be mandatory for all remote access. SMS and TOTP-based MFA are insufficient against modern credential theft techniques.

This single control would have prevented initial access.

2. Deploy Windows Credential Guard and LSASS protection. Credential Guard uses virtualization-based security to isolate LSASS and prevent credential harvesting from memory.

Combined with PPL (Protected Process Light) enforcement for LSASS, this would have blocked SafePay's credential scraping via Mimikatz and Procdump.

3. Implement least-privilege access with just-in-time provisioning. No single administrator account should have persistent, unconstrained access to production data across the entire environment.

Privileged access management (PAM) solutions with just-in-time provisioning, session recording, and automatic credential rotation would have limited the blast radius of the compromised account.

4. Segment networks to isolate sensitive data environments. Government benefits data, healthcare records, and PII should be in dedicated network segments with strict access controls, micro-segmentation policies, and east-west traffic monitoring.

An attacker who compromises a VPN endpoint should not have a direct path to production databases containing 100 million Americans' records.

5. Deploy data loss prevention with anomaly-based detection. The exfiltration of 8.5 terabytes of data over weeks should have triggered automated alerts.

Network DLP solutions monitoring outbound traffic volumes, combined with UEBA (User and Entity Behavior Analytics) to detect abnormal data access patterns, would have identified the exfiltration in progress.

6. Conduct continuous threat hunting with a maximum 24-hour mean time to detect. An 84-day dwell time is a detection failure.

24/7 SOC monitoring with proactive threat hunting, behavioral analytics, and automated correlation of VPN authentication events, LSASS access attempts, PsExec usage, and anomalous file access patterns should reduce dwell time to hours, not months.

TechCrunch, Malwarebytes, Gizmodo, Fox News, Fox Business, SecurityWeek, BankInfoSecurity, GovInfoSecurity, Cybersecurity Dive, Cybersecurity News, CyberPress, TechRepublic, TechRadar, PCWorld, Tom's Guide, Becker's Hospital Review, Becker's Payer Issues, HIPAA Journal, SC Media, The Register, SecurityAffairs, GovTech, Texas Attorney General Office, Conduent SEC Filing (8-K April 14 2025), Conduent Investor Relations, Bitdefender, Huntress, Halcyon, Check Point, SOCRadar, Blackpoint Cyber, Flare, Proven Data, SureFire Cyber, Acronis, Red Piranha, Fortra, Quorum Cyber, ClaimDepot, Virginia Tech News, CBS, NPR, Yahoo News