25 Million of America's Most Vulnerable Just Had Their Data Stolen. They Never Chose to Trust the Company.

A ransomware gang just walked away with the personal records of 25.9 million Americans. Not credit card numbers. Social Security numbers, medical histories, health insurance details, benefit eligibility. The kind of data that opens the door to identity theft, tax fraud, and benefit scams.

The company is Conduent. You've probably never heard of them.

The Invisible Middleman

Conduent doesn't sell you anything. You don't download their app or sign a contract. They're a government contractor — the company states hire to run food stamps (EBT), Medicaid payments, child support processing, and disability benefits.

If you've received government assistance in Texas or Oregon, Conduent handled your data. You didn't choose them. The state did.

Now your information's gone.

The Numbers Keep Growing

In October 2025, the breach hit. Initial reports said 400,000 people affected in Texas alone. Then the number jumped to 4 million. Then 15.4 million. Oregon added another 10.5 million. Delaware, Massachusetts, New Hampshire — hundreds of thousands more.

The ransomware group SafePay claims they grabbed 8 terabytes of data.

That's not a leak. That's a wholesale extraction.

Who Pays the Price?

Here's the brutal part: the people in this breach can't afford credit monitoring. They're receiving food stamps. They're on Medicaid. They're foster children. Disability claimants.

Identity theft is expensive to fix. It takes time, legal help, credit repair. These are people who chose government benefits because they needed them. They're now dealing with identity theft risk because a contractor they never picked got hacked.

Social Security data breaches "dramatically increase the risk of identity theft," according to security experts. Often victims don't realize it until tax season, when someone else has already filed using their SSN.

The Cybersecurity Gap

Federal contractors are supposed to follow NIST SP 800-171 — cybersecurity standards for handling sensitive information. There's DFARS (Defense Federal Acquisition Regulation Supplement). There's FISMA (requiring agencies to implement security programs).

Ransomware attacks on government entities jumped 65% in the first half of 2025. That's 208 attacks in six months. For the full year, government saw 374 attacks, up 27%.

The rules exist. The attacks keep working.

The Outsourcing Dilemma

States outsource benefits processing because contractors promise efficiency. Conduent's own marketing touts "up to 27% reduction in government benefits costs."

But when a contractor gets breached, the state doesn't absorb the fallout. The benefit recipients do. They're the ones monitoring credit reports, freezing accounts, filing fraud alerts.

Conduent will offer credit monitoring (they always do). For most of these 25.9 million people, that's a band-aid on a gaping wound. The data's already out there. The damage compounds over years, not months.

What This Means

This isn't about Conduent specifically. It's about a system where the people who need government services most are also the most exposed when those services fail.

Nobody receiving food stamps gets to choose which contractor processes their benefits. Nobody on Medicaid gets to vet the cybersecurity of the company handling their medical records.

They trust the system because they have to. And when that system outsources to a third party that gets hacked, they're the ones left dealing with stolen identities.

25.9 million people. Most of them will never know their data was breached until something goes wrong. A denied loan. A fraudulent tax return. A medical bill for a procedure they never had.

The people who can least afford identity theft just became its likeliest victims.