Conduent discloses data breach significantly larger than initially reported

Business services giant Conduent has acknowledged that a previously disclosed cybersecurity incident compromised substantially more individuals' data than originally reported, according to regulatory filings and state notification letters. The Morristown, New Jersey-based company, which handles sensitive government and healthcare contracts, initially disclosed limited exposure in early 2026 but has now expanded breach notifications to cover additional affected systems and longer time periods of unauthorized access. Specific figures on the revised scope have not been publicly released, though state attorneys general offices indicate notification letters are being issued to residents across multiple jurisdictions. Conduent provides Medicaid management, toll collection, and human resources services to numerous state and local government clients, raising particular concern about potential exposure of benefits eligibility records and financial data. The company has attributed the incident to a sophisticated external attack but has not confirmed whether ransomware was involved. Contracting agencies in at least three states have demanded forensic accounting of affected systems. Conduent stated it has implemented additional security measures and is cooperating with federal investigators.