TL;DR SafePay ransomware hit Conduent and exposed 25 million Americans’ personal data. Likely the largest breach in US history. Here’s the full breakdown and what it means for third-party risk management.
Twenty-five million Americans. Let that sit for a second. Twenty-five million people who had their data — Social Security numbers, financial records, personal identifiers — held inside a government IT contractor they’ve probably never heard of, and had zero say in whether that contractor secured it properly. Conduent, the outsourced government services giant that processes welfare payments, unemployment claims, child support, and a dozen other public services across the United States, got absolutely destroyed by the SafePay ransomware gang. And per Gizmodo, this thing might be the largest breach in U.S. history.
You’d think that phrase — “largest breach in U.S. history” — would generate a bit more outrage. Instead, it barely made the news cycle. That’s how normalized this garbage has become.
What Happened
According to TechCrunch’s reporting, the Conduent breach started as a January 2025 incident that the company initially downplayed as “limited in scope.” Then states started asking questions. Then the numbers started growing. By February 2026, the breach had ballooned to at least 25 million affected individuals across multiple U.S. states, per Yahoo Finance.
The SafePay ransomware gang — not the most publicized crew, but evidently quite competent — claimed responsibility. They got in, exfiltrated a massive data set, and walked out. The data includes names, Social Security numbers, dates of birth, home addresses, and in some cases banking or benefits information. Not exactly low-stakes stuff. These are the people receiving unemployment benefits, Medicaid payments, child support — some of the most financially vulnerable people in the country. Their data is now on the market.
The evrimagaci.org roundup and Fox Business both note that Conduent processes payments and services on behalf of numerous state governments — which means this single vendor breach has effectively compromised social welfare systems across the entire country simultaneously. This is textbook third-party risk becoming a national-scale catastrophe.
Why It Matters (Beyond the Obvious)
Conduent is what you’d call a “systemic” vendor. They sit in the middle of government-to-citizen payment infrastructure for multiple states. A breach here doesn’t hit one organization — it hits every agency that ever handed Conduent a dataset and said “here, manage this for us.” These are people who, by definition, couldn’t opt out of using the service.
The most infuriating thing about this whole situation is that it was entirely foreseeable. Government IT outsourcing is a well-documented catastrophic risk. As I wrote in my book Dominance on the Digital Battlefield: Why Cyber Weapons Are Cooler than Nukes, critical infrastructure operators and their vendor ecosystems are the most high-value, least-secured targets in the modern threat landscape. That analysis was published in 2024. The Conduent breach is a direct data point confirming it.
When governments outsource the delivery of social services to a single commercial vendor, they have just created one hell of a honeypot. One successful ransomware deployment equals simultaneous data exfiltration from dozens of state agencies. The efficiency of attack is spectacular.
What Went Wrong (Pick a Reason, There Are Several)
Conduent has had security incidents before. The company was hit by the Maze ransomware gang in 2020. They know what a ransomware attack looks like. And yet.
The breach wasn’t caught until after significant exfiltration had occurred. Standard stuff at this point — companies run EDR tools they don’t tune, SIEM platforms they don’t staff, and alert queues they don’t read. The SafePay gang got in, moved laterally, found the data, and left with it. Nobody apparently noticed until things started showing up in dark web markets.
The “limited in scope” initial disclosure is a pattern, not an accident. As I covered in my post on the Threat Intelligence Firm AWS credentials leak in December 2025, organizations routinely low-ball breach scope in initial disclosures because they genuinely don’t know the extent of the damage, and also because smaller numbers attract less regulatory attention. By the time the real numbers emerge months later, the news cycle has moved on. It’s a strategy, whether intentional or not.
Third-party risk management was apparently non-existent or purely checkbox. Each state government that handed Conduent a dataset of benefits recipients presumably required some sort of security certification — SOC 2, ISO 27001, FedRAMP, whatever. Those certifications mean absolutely nothing when an attacker gets in anyway and the breach dwell time stretches on unchecked. Certifications tell you what controls existed at the point of audit. They tell you nothing about whether those controls are working right now.
The Systemic Problem Nobody Wants to Fix
Government IT procurement is structurally broken for security. Contracts go to the cheapest bidder with the right checkbox certifications. Security requirements are written by procurement lawyers, not practitioners. Post-award security audits are rare, underfunded, and toothless. Breach notifications are contractually required but the penalties are nowhere near proportionate to the damage.
As I laid out in Why There Will Be a Cyber-9/11. Soon, the combination of critical service concentration, low-security vendor ecosystems, and inadequate government oversight is a recipe for a genuinely catastrophic attack. Conduent hitting 25 million Americans is bad. Imagine if SafePay had decided to corrupt the payment data rather than exfiltrate it. Unemployment payments bouncing across 10 states simultaneously. Child support systems offline. Benefits recipients without access to funds they depend on. That’s the threat model nobody’s building towards.
What Needs to Happen
For organizations processing government data at scale, here’s what needs to change:
Continuous security monitoring, not annual audits. Certifications are snapshots. Threat actors operate in real time. Your vendor oversight needs to too. Contractually require real-time log sharing, mandatory incident notification within 4 hours (not 72, not “when we feel like it”), and the right to conduct unannounced technical audits.
Data minimization and compartmentalization. Does a single vendor really need access to 25 million records at once? Architect data flows so that a breach at one vendor exposes a meaningful but bounded dataset — not the entire programme.
Ransomware-specific incident response plans for vendors. Your IR plan probably covers your own systems. Does your vendor contract require the same? Does it specify what happens to your data if they get hit? Most don’t.
Assume breach in vendor selection. Stop asking “Is this vendor secure?” Start asking “When this vendor gets breached, what’s the blast radius?”
I covered the operational mechanics of exactly this kind of supply chain ransomware trajectory in my post on Qilin’s Korean Leaks campaign hitting 28 financial firms — one compromised intermediary, dozens of downstream victims. Conduent is the government-sector version of that exact playbook.
The Call-Out
Twenty-five million people had no choice about whether Conduent held their data. That data is now compromised. The company that held it got ransomed — again — and initially said it was “limited in scope.”
SafePay is collecting on government-grade incompetence. Every state government that outsourced critical citizen data to a single commercial vendor without robust, continuous security oversight has some serious explaining to do. The lawsuits are coming. They should.
