Millions of Americans are now being notified that their personal information may have been exposed in what the Texas Attorney General has described as the largest data breach in U.S. history. The cyberattack targeted Conduent Business Services, a major third-party contractor that handles administrative and operational tasks for large corporations and government agencies.
Notification letters are already arriving in mailboxes across multiple states, including communities in the Central Savannah River Area (CSRA). For many recipients, the name Conduent may not immediately ring a bell. The company operates largely behind the scenes, providing printing, mailroom, and back-office support services to high-profile clients. Among those clients is Blue Cross Blue Shield of Texas, meaning millions of policyholders could be affected through that relationship alone.
The scale of the breach is staggering. Data published by the Oregon Department of Justice, which maintains an online portal tracking reported data breaches, indicates that more than 10 million individuals have already been identified as potentially impacted. Authorities say that figure may continue to rise as investigations unfold and additional organizations confirm their exposure.
Hackers Accessed Systems for Months Before Discovery
According to disclosures from Conduent, the company became aware of suspicious activity on January 13, 2025. A subsequent forensic investigation determined that unauthorized individuals had gained access to its systems as early as October 21, 2024. That means sensitive information may have been accessible to hackers for nearly three months before the breach was detected and contained.
Cybersecurity professionals note that the duration of unauthorized access is particularly concerning. The longer attackers remain inside a network undetected, the greater the likelihood they were able to copy, download, or manipulate large volumes of data. In this case, the exposure window spanned nearly 90 days.
So far, residents in Georgia, South Carolina, New Jersey, New Hampshire, Maine, Massachusetts, and New Mexico have been confirmed among those affected. Officials caution that the list of impacted states could grow as more notifications are issued and state agencies complete their reviews.
Personal and Medical Information Among Data Exposed
The type of information exposed varies depending on the individual and the services Conduent was providing on behalf of its clients. Some people were informed that basic personal identifiers, such as names, home addresses, and Social Security numbers, were accessed. Others were told that more sensitive information, including medical records and health insurance details, may have been involved.
Because Conduent serves as a contractor for numerous organizations, the exact data exposed depends on which client’s records were being processed during the period of unauthorized access.
One point of confusion for many recipients is that the notification letters do not clearly identify which company originally shared their data with Conduent. That lack of specificity makes it harder for individuals to determine which account or relationship may have led to their information being stored within Conduent’s systems. Consumer advocates say clearer communication could help affected individuals better understand their risk and respond more effectively.
Free Credit Monitoring Offered to Affected Individuals
To help mitigate potential harm, Conduent is offering one year of complimentary credit monitoring services to those whose information was exposed. Individuals who receive a notification letter must enroll in the program by April 30, 2026, in order to take advantage of the free protection.
The letters contain enrollment instructions and provide a customer assistance hotline — 877-332-1658 — which operates Monday through Friday from 9 a.m. to 9 p.m. Eastern Time. Officials stress that the letters are legitimate and should not be discarded. While scam attempts often follow major breaches, this notification is considered genuine, and recipients are encouraged to carefully review the information and follow the outlined steps.
Missing the April 30 enrollment deadline could mean losing access to the complimentary monitoring services.
Experts Recommend Additional Protective Measures
While credit monitoring can help detect suspicious activity, cybersecurity experts say it should not be the only line of defense. Individuals concerned about identity theft are encouraged to take proactive steps to secure their financial information.
One of the most effective tools available is a credit freeze. Consumers can request a freeze free of charge from the three major credit reporting agencies — Equifax, Experian, and TransUnion. A freeze prevents lenders from accessing a person’s credit file, making it extremely difficult for fraudsters to open new accounts in someone else’s name without authorization.
Regularly reviewing credit reports is another important safeguard. By checking for unfamiliar accounts or inquiries, individuals can spot potential fraud early. Monitoring bank and credit card statements for unauthorized transactions is also critical, as even small suspicious charges can signal larger problems.
Experts also warn about phishing attempts that often follow publicized breaches. Criminals may send emails or place phone calls posing as representatives connected to the incident, hoping to trick individuals into providing additional personal details. People are advised to be cautious about unsolicited communications and to rely only on official contact information provided in the breach notification letter.
Placing a fraud alert on credit files is another option. Fraud alerts require lenders to take extra steps to verify identity before issuing credit, offering an additional layer of protection without fully locking down a credit report.
Comments are closed.