Conduent Business Services Data Breach Exposes Over 25 Million Individuals, Missouri Regulators Claim Vendor Stonewalling
What Happened — In March 2024 Conduent Business Services suffered a cyber‑intrusion that compromised personal data of more than 25 million people nationwide. The breach was publicly disclosed in April 2025, and Missouri’s Department of Commerce and Insurance alleges Conduent has refused to supply regulators with critical details needed for impact assessment.
Why It Matters for TPRM —
- The incident involves a third‑party service provider that processes health‑related claim forms for insurers, creating a supply‑chain risk for covered entities.
- Lack of transparency hampers risk‑based decision‑making and may delay breach‑notification obligations to affected consumers.
- The scale (25 M+ records) places the breach among the largest in U.S. history, raising concerns about downstream data‑privacy liabilities.
Who Is Affected — Health‑care insurers, payroll/claims processors, and any organization that relies on Conduent’s back‑office services; indirectly, millions of patients and policyholders.
Recommended Actions —
- Review contracts with Conduent for breach‑notification clauses and data‑handling obligations.
- Request evidence of Conduent’s security controls (e.g., SOC 2, ISO 27001) and any post‑incident remediation plans.
- Conduct a supplemental risk assessment for all downstream services that ingest Conduent‑processed data.
Technical Notes — The public record does not disclose the exact attack vector; speculation points to a possible credential‑theft or exploitation of an unpatched vulnerability in Conduent’s document‑processing platform. Data types likely include personally identifiable information (PII) and protected health information (PHI). Source: DataBreachToday