Missouri Regulators Press Conduent for Answers on 25‑Million‑Record Breach

TL;DR: Missouri regulators are pressing Conduent for details after a breach that exposed personal data of over 25 million Americans from October 2024 to January 2025. The state says the vendor has not shared enough information to assess the impact on Missouri insurance consumers.

Context: Conduent Business Services handles insurance claims, payment integrity and back‑office support for insurers. In January 2025 the company discovered that attackers had been inside its network since October 21, 2024, accessing files with names, addresses, Social Security numbers and medical records.

Key Facts: The unauthorized access lasted nearly three months, potentially affecting more than 25 million U.S. individuals. Missouri’s Department of Commerce and Insurance first contacted Conduent on March 17, 2026, seeking specifics about Missouri residents. More than six weeks later regulators said they still lack sufficient information to gauge the breach’s impact. DCI Director Angela Nelson noted the agency is “concerned and disappointed” by the limited disclosure.

What It Means: For consumers, the exposed data includes identifiers that can be used for identity theft, fraudulent credit applications or medical‑billing scams. Regulators are now asking insurers that used Conduent to self‑report whether their data was involved and to describe the services provided. This shifts part of the investigative burden to the insurers while the state waits for clearer answers from the vendor.

Mitigations / What Defenders Should Do: Organizations that rely on third‑party vendors should enforce multifactor authentication on all remote access points, segment networks to limit lateral movement, and monitor for signs of credential misuse (MITRE ATT&CK T1078). Review logs for unusual authentication patterns, privileged‑access abuse (T1003) and remote service exploitation (T1021). Apply the latest patches for any known vulnerabilities in exposed services and maintain an up‑to‑date asset inventory to detect unauthorized devices. Conduct regular tabletop exercises that include third‑party breach scenarios and verify that breach‑notification contracts specify clear timelines and data‑sharing requirements.

Forward‑looking line: Watch for any enforcement actions or fines from Missouri regulators, as well as updates from insurers on the scope of affected records and whether Conduent will provide additional breach details.