In November 2025, Conduent confirmed a data breach affecting the protected health records of approximately 25 million people. For 84 days, the SafePay ransomware group worked inside Conduent's network and exfiltrated 8.5 terabytes of data without triggering a single alarm.

SplitSecure protects enterprises from attacks like the Conduent security breach. Learn More.

The Conduent security breach, which ultimately resulted in the exposure of protected health records belonging to 25 million people (and at least $25 million in costs to Conduent), stemmed from Conduent's administrative accounts having unilateral authority to access, move, and exfiltrate data without independent constraint.

Just as in other breaches we’ve analysed, such as the Cloud Nordic breach two years earlier, there was a single point of failure in how Conduent managed privileged credentials.

Below, we show you exactly what went wrong during the Conduent security breach so you can avoid a similar situation in your organization.

The Conduent Security Breach Attack Chain

Conduent is, for most Americans, a relatively unknown name. Yet it is an organization that millions of people interact with every year. Conduent processes over 500 million Medicaid claims annually and manages benefits for 120 million people across 46 states.

With such enormous responsibility, Conduent was ISO 27001 certified and invested heavily in security. However, the problem (which emerged after the 2025 breach) was that Conduent’s security investment was primarily focused on perimeter security, i.e., stopping attackers from entering Conduent’s network.

But like every security program, there were gaps. SafePay reportedly gained initial access through compromised VPN and RDP credentials.

From there:

1. The attackers scraped administrative credentials from the Local Security Authority Subsystem Service (LSASS) using tools like Mimikatz and Procdump.
2. Because a single administrator had unilateral power to map and access production systems, the stolen identity gave the attackers unconstrained authority.
3. The attackers moved laterally across the network to the production database servers holding protected health information.
4. Over 84 days, from October 21, 2024, to January 13, 2025, they exfiltrated 8.5 terabytes of PHI and PII in its decrypted processing state.
5. SafePay deployed ransomware, causing an operational outage and forcing Conduent to notify approximately 25 million people.

Unilateral Authority Created an 84-Day Blind Spot

Perimeter security can never be counted on to be 100% foolproof. Organizations are fixed targets and, with enough time and resources, an attacker will inevitably find an entry point into a network.

What separates relatively minor incidents from major breaches like Conduent’s is what happens next. What can an attacker do once they’re inside?

Unfortunately for Conduent (as well as their suppliers and the 25 million impacted individuals), their administrative systems had unilateral authority over production data.

This meant that once a trusted identity was compromised, its authority was unconstrained.

SafePay attackers were able to break in and easily mimic legitimate administrative activity using stolen credentials, effectively neutralizing the perimeter-focused security stack.

This was not Conduent's first incident either.

In June 2020, the Maze ransomware group compromised Conduent with an eight-week dwell time.

Four years later, SafePay extended that window to 12 weeks because the attack surface had not been architecturally addressed, and controls were primarily focused on keeping attackers out without considering how to prevent damage when/if someone got in.

In the table below, we break down the critical points where Conduent's security controls failed.

The root cause in 2020 was the same as the 2024 breach in that a single administrative domain gave anyone unilateral authority over production systems.

The 2020 incident should have been a signal to address the architectural vulnerability, but four years later, the same attack vector produced a larger and more impactful breach.

3 Secrets Management Lessons from the Conduent Security Breach

The business risks from relying on centralized credential management are enormous, but beyond this high-level lesson, there are three core takeaways for any organization processing sensitive data at scale:

1. If administrative systems have unilateral authority over production data, a single compromised credential can expose everything. Stronger authentication does not solve this. The control has to exist at the action itself.
   
   
2. Separation of duties must be enforced by architecture, not policy. Multi-party approval for high-privilege actions is not overhead. It is the only defense against single-point-of-failure attacks.
   
   
3. An 84-day dwell time is not a detection failure in itself, but the consequence of a system in which legitimate and illegitimate administrative activity appear identical. When the architecture cannot distinguish between the two, monitoring becomes reactive by definition.

Distributed Secrets Management Would Have Mitigated the Conduent Security Breach

With SplitSecure, Conduent attackers could not have executed the data exfiltration even after compromising internal systems. No single path leads to an account with unconstrained authority.

No single point of failure

• With SplitSecure, administrative secrets are split across multiple devices.
• No single device ever persists the protected credentials.
• Attackers would need to compromise multiple devices simultaneously (a 'threshold').

Separation of duties enforced by architecture

• No single identity can access and exfiltrate production data unilaterally.
• Multi-party approval is required for actions with high-privilege impact.
• This is cryptographic enforcement, not policy documentation.

Every request logged automatically

• Cannot use the system without generating an audit trail.
• Anomalous access patterns would have triggered alerts immediately, not after 84 days.
• There’s verifiable proof that controls were followed, not just that access was granted.

FAQs

What was the Conduent security breach?

In 2024-2025, the SafePay ransomware group compromised Conduent Business Services, exfiltrating 8.5 terabytes of data, including protected health records for approximately 25 million people, over an 84-day period.

How did the Conduent data breach happen?

The attackers gained access through compromised VPN and RDP credentials, then scraped administrative credentials from memory. Because a single administrator had unilateral access to production data, the stolen identity gave the attackers unconstrained authority to exfiltrate data.

Why was the Conduent data breach not detected for 84 days?

The attackers used legitimate administrative credentials and mimicked normal activity. In a system where a single trusted identity has unconstrained authority, there is no architectural distinction between legitimate and illegitimate access.

Has Conduent been breached before?

Yes. In 2020, the Maze ransomware group compromised Conduent with an eight-week dwell time. The root cause was the same: a single administrative domain with unilateral authority over production systems.

How does distributed secrets management prevent this type of breach?

By splitting administrative credentials across multiple devices so that no single device persists the protected credentials. Reconstructing a secret requires a threshold of team members to collaborate, making unilateral access mathematically impossible.

Protect Your Organization from Credential-Based Attacks

See how SplitSecure's distributed secrets architecture prevents single-point-of-failure attacks on your most critical systems.

SplitSecure makes separation of duties a mathematical certainty, not a policy hope. Learn More.

‍