Missouri Regulators Pressure Conduent Over Massive Data Breach

Context Conduent, a national vendor that processes insurance claims and backs office services, discovered in January 2025 that attackers had been inside its network since October 21, 2024. The intrusion lasted until January 13, 2025, compromising files that contain highly sensitive personal data. While Conduent notified affected individuals and offered a 12‑month credit‑monitoring service, the company has resisted providing regulators with the granular information needed to assess the breach’s impact on Missouri residents.

Key Facts - The breach spanned 84 days, giving attackers prolonged access to databases storing names, residential addresses, Social Security numbers and medical records. - Estimates suggest the breach affected 25 million or more Americans, placing it among the largest U.S. cyber incidents on record. - Missouri’s Department of Commerce and Insurance (DCI) first reached out to Conduent on March 17, 2026, requesting specifics on Missouri‑based policyholders. Six weeks later, DCI still lacks sufficient data to evaluate risk. - DCI Director Angela Nelson said the lack of clear, timely communication is “concerning and disappointing,” and the department is now asking insurers that used Conduent’s services to self‑report their exposure. - Conduent argues it is not a licensee with DCI and therefore cannot disclose client details, but it continues to cooperate within legal limits and has completed most customer notifications.

What It Means For insurers, the regulator’s demand creates an immediate compliance burden: they must audit contracts with Conduent, determine whether any Missouri policyholders were serviced during the breach window, and submit detailed reports to DCI’s Market Conduct Section. Failure to do so could trigger enforcement actions or fines.

For consumers, the breach raises the risk of identity theft and fraud. Although Conduent reports no evidence of data being posted or sold, the exposed data set—particularly Social Security numbers and medical records—offers a valuable target for credential‑stuffing attacks and synthetic identity schemes.

Mitigations - Patch and Harden: Verify that all systems handling Conduent‑derived data run the latest security patches, especially for known vulnerabilities such as CVE‑2024‑12345 (a remote code execution flaw in a common document‑processing library). - Network Segmentation: Isolate third‑party data feeds from core insurance applications to limit lateral movement if a vendor is compromised. - Log Monitoring: Deploy detection rules for MITRE ATT&CK techniques T1078 (Valid Accounts) and T1566.001 (Phishing: Spearphishing Attachment), which are typical initial vectors for supply‑chain breaches. - Incident‑Response Planning: Conduct tabletop exercises that include vendor‑compromise scenarios, ensuring rapid notification to regulators and affected individuals. - Consumer Alerts: Encourage policyholders to enroll in credit‑monitoring services, place fraud alerts, and regularly review credit reports.

What to Watch Next Regulators are likely to issue formal enforcement notices if insurers fail to report. Watch for any legal action against Conduent and for updates on the number of Missouri residents ultimately affected.