For 83 days, attackers moved freely through Conduent's systems and exfiltrated 8 terabytes of healthcare records, Social Security numbers, and personal data belonging to tens of millions of Americans. No alarm sounded. No transfer was blocked. The breach was discovered when systems stopped working. Not because anyone detected the data leaving.
What Happened
Conduent is a government technology contractor that handles payment processing, healthcare claims, and benefits administration for Fortune 100 companies and state agencies. Most people have never heard of them, even though the company processes some of their most sensitive data. The SafePay ransomware group gained unauthorized access on October 21, 2024, and went undetected for nearly three months. By the time Conduent discovered the intrusion on January 13, 2025, attackers had exfiltrated over 8 terabytes of data: Social Security numbers, names, addresses, medical histories, and health insurance records.
The disclosed scope has grown steadily since. Conduent's initial filings described "a limited number" of affected users. Texas alone later reported 15.4 million affected residents. Current estimates exceed 25 million individuals across more than a dozen states are impacted. Affected individuals are only now receiving notification letters, more than a year after the intrusion began. Conduent has reported $25 million in breach response costs, and multiple class action lawsuits have been consolidated in federal court.
Why This Breach Is Different
Most large breaches follow a familiar pattern: a company stores sensitive data, attackers find a way in, and that data gets stolen. The Conduent incident fits that pattern—but there are a few dimensions worth examining more carefully, because they directly inform how organizations should be thinking about their own risk posture.
The third-party problem is structural. Conduent's clients include Blue Cross Blue Shield of Texas, state Medicaid programs, and numerous other government and enterprise customers. None of those organizations were breached directly. Their data was breached through a vendor. The breach notification letters going out right now don't even specify which client's relationship is what exposed your data. If you process sensitive data through third parties, your attack surface extends to every vendor in that chain.
The dwell time was the damage. Three months of undetected access is a long time. In a ransomware context, that dwell time is more than just exfiltration. It also provides attackers with the opportunity to map systems, understand data structures, and extract what's most valuable. The data stolen here wasn't financial account numbers that can be cancelled. Social Security numbers, medical records, and insurance details are permanent. They can't be rotated. The downstream exposure for victims will last years, potentially decades.
Detection failed at the data layer. Conduent's perimeter controls did not surface the exfiltration in progress. The intrusion was detected when it caused operational disruption, not because the data movement itself was flagged. That's the gap that modern DLP is designed to close.
The Visibility Problem: Where Legacy DLP Falls Short
The Conduent breach is a case study in what happens when organizations don't have adequate visibility into data movement at the content level.
Traditional security architectures treat the network perimeter as the primary control plane. If traffic is authorized, it passes. Ransomware groups like SafePay have become sophisticated at operating within the bounds of what looks like authorized activity by using legitimate credentials, existing access paths, and normal data transfer mechanisms to exfiltrate data over extended periods.
Legacy DLP tools struggle with this for a few reasons. Regex-based pattern matching misses data that's been transformed, compressed, or embedded in file types the rules weren't written for. Rules require constant tuning, which creates operational overhead that leads to alert fatigue and eventually, rules that are too permissive to be meaningful. And most legacy tools lack the contextual awareness to distinguish between a legitimate transfer and data being staged for exfiltration.
How Nightfall Addresses This Attack Pattern
Know what you have. Before you can prevent exfiltration, you need to know where sensitive data lives. Organizations accumulate years of PHI, PII, financial records, and credentials across SaaS applications, storage systems, and collaboration tools, most of it untagged and unmonitored. Nightfall continuously scans across your SaaS environment using AI models trained to detect over 100 data types with 95%+ accuracy, surfacing the highest-risk exposures automatically. Legacy tools leave 60 to 80% of sensitive data undiscovered. That undiscovered data is your attack surface.
Detect exfiltration at the content layer, not the perimeter. Once an attacker begins moving data, you need controls that identify that movement by what's in the data, not just whether the traffic looks anomalous. Nightfall traces sensitive data from origin to destination: downloads, renames, compression, cloud sync, browser uploads, clipboard operations, USB transfers, and AI prompts. When content matches a sensitive data policy, it blocks the transfer, logs the event, and provides session replay for investigation. This is the control that would have surfaced Conduent's exfiltration in progress, not months after the fact.
Automate response, not just alerting. Detecting a policy violation only matters if something happens next. Nightfall provides real-time automated remediation with multiple options like blocking transfers, revoking external sharing permissions, redacting content, and alerting security teams, all without requiring manual review of every event. Investigations that took days happen in hours. High-confidence detections trigger action automatically.
Cover AI egress vectors. As organizations deploy AI tools and agentic workflows, the exfiltration surface expands. Every prompt sent to an external LLM is a potential data egress event. Nightfall extends DLP coverage to these new vectors, blocking sensitive data from entering unauthorized AI tools, inspecting prompts and file uploads in real time, and providing visibility into what's being shared with which AI systems.
Best Practices for Organizations Processing Sensitive Data at Scale
The Conduent breach offers a clear set of lessons. Here's how to operationalize them:
Know what you have before an attacker finds it. Run a comprehensive data discovery scan across your entire SaaS environment. Identify where PHI, PII, financial records, and credentials are stored, including in archived channels, old repositories, and forgotten shared drives. You cannot protect what you haven't found.
Classify continuously, not periodically. One-time audits decay immediately. Data flows are constant. Classification needs to run in the background, automatically surfacing new exposures as data is created, shared, and modified.
Reduce your attack surface before an incident. Once sensitive data is discovered, remediate it. Delete what doesn't need to exist. Redact what can be. Revoke external sharing permissions on files that are over-shared. A smaller data footprint means a smaller blast radius if an attacker does get in.
Enforce data lineage tracking. Know where your sensitive data came from, where it's going, and what happened to it along the way. When an incident occurs, you need to reconstruct the full chain of custody quickly, both for investigation and for notification obligations under state breach notification laws.
Extend DLP coverage to third-party data flows. If you share data with vendors and processors, those relationships need to be part of your DLP architecture. Understand what data each vendor can access, monitor outbound flows, and apply the same classification and control standards you use internally.
Build for detection at the content layer, not just the perimeter. Network controls catch known-bad traffic. Content-aware DLP catches sensitive data moving through authorized channels. Both matter. If your current architecture relies primarily on perimeter controls, you have a significant blind spot.
Establish automated response, not just alerting. Alert fatigue is real. A DLP program that generates thousands of events without automated triage and response will eventually be ignored. Invest in automation that can act on high-confidence detections without waiting for human review, especially for high-severity events like bulk exfiltration of PHI or SSNs.
Cover AI egress vectors now. If your employees use ChatGPT, Copilot, Claude, or any other AI tool, you already have an uncontrolled exfiltration vector. Classify what data is being shared with these systems and enforce policy on what's permissible.
The Underlying Issue
The Conduent breach is notable for its scale, but it isn't anomalous in its structure. Attackers gained access, stayed quiet, and moved data. The controls in place didn't surface the exfiltration until it was too late.
Organizations that process sensitive data on behalf of others—as third-party processors, benefits administrators, healthcare vendors, or SaaS platforms—carry an obligation that extends beyond their own data. The people affected by the Conduent breach never had a relationship with Conduent. Their data was there because of a relationship they had with someone else.
That's the actual risk model for most organizations today. Your data isn't just at risk where you store it. It's at risk everywhere it flows, including through every vendor and processor in your supply chain.
Eighty-three days of undetected exfiltration is a detection problem. With Nightfall, the problem is solvable. Nightfall is an AI-native DLP platform built to discover sensitive data before attackers do, detect exfiltration in progress at the content layer, and respond automatically before damage compounds. If you're responsible for protecting data you can't afford to lose, schedule a demo and see how Nightfall closes the gap.
.svg)
.svg)
