The problems for Conduent Business Solutions 10 months after the solutions and services provider in January detected intruders in its systems, the first indications of a significant data breach that the company last month said could have affected more than 10.5 million people.

The disclosure to Oregon’s Justice Department of the possible victim toll shot Conduent back into the headlines and reportedly has fueled the filing of at least nine of proposed class-action lawsuits against the New Jersey-based company, with more likely to follow now that law firms are now investigating the company and data breach.

At the same time, Conduent in its third-quarter financial report to the U.S. Securities and Exchange Commission (SEC) November 7 that it already has spent $9 million through September in connection with the data breach and expects to put out another $16 million between now and the end of the first quarter next year. That’s on top of the $25 million of non-recurring expenses it incurred because of the breach in the first quarter this year.

The company notified the SEC about the data breach in April.

Conduent also has notified agencies in a number of states – not only Oregon, but also others like Maine, California, and Texas – of the breach, and in October began sending notices to those whose data may have been compromised outlining the incident and what Conduent has done since discovering the attack. The letter also details the types of information that may have been taken,

Though the company doesn’t include the information stolen in the template of the letter being sent to possible victims, the Texas Attorney General’s Office said it includes the name of the individual as well as Social Security Numbers and medical and health insurance information.

Threat Actors Spent Three Months Inside

Conduent executives wrote in the letter that after discovering the breach January 13, the company secured the networks and started an investigation into the incident with third-party forensic experts. They determined the intruder had been in its IT environment since October 21, 2024, spending almost three months in there before being detected.

In February, the SafePay ransomware group claimed responsibility for the attack, posting that it had stolen 8.5TB of data from the company. In its letter to potentially effected people, Conduent wrote that “presently, we have no evidence or indication of actual or attempted misuse of your personal information.”

A Fast-Emerging Ransomware Threat

SafePay emerged in September 2024 and established itself this year as a highly active ransomware group, with cybersecurity vendor Bitdefender in June putting it at the top of its Threat Debrief rankings in June after claiming 73 victim organizations in one month – May – and collecting another 42 in July.

In the first eight months of the year, SafePay never claimed fewer than 12 victims in a single month.

“With more than 270 claimed victims so far this year, SafePay’s discreet operations, rejection of the ransomware-as-a-service (RaaS) model, and rapid-fire victim disclosures signal a significant threat that security researchers and teams should understand,” Bitdefender threat researcher Jade Brown wrote in a report in September.

Most of SafePay’s victims have been in the United States, with manufacturing, healthcare, construction, and technology as the industries targeted the most. Given its extensive work in the healthcare space, the Conduent breach was ranked by the HIPAA Journal as the eighth-largest healthcare data breach in U.S. history.

Among the organizations that have said they’ve been impacted by the data breach are Blue Cross and Blue Shield of Montana, Blue Cross and Blue Shield of Texas, Humana, and Premera Blue Cross.

Months Before Victims Alerted

Executives with Conduent, which generated more than $3.35 billion in revenue last year, in the SEC filing and the letter to possible victims detailed the investigation into the data breach. However, along with the data breach itself, the stolen information, and the charge that the company failed to adequately protect the data it held – including storing information in unencrypted and internet-accessible environments – lawyers involved with the lawsuits take issues with the months the company took between detecting the intrusion and notifying possible victims.

“The FTC [Federal Trade Commission] directs businesses to use an intrusion detection system to expose a breach as soon as it occurs, monitor activity for attempted hacks, and have an immediate response plan if a breach occurs,” wrote lawyers in one class-action lawsuit filed in U.S. District Court in New Jersey. “Immediate notification to individuals impacted by a data breach is critical so that those impacted can take measures to protect themselves. Here, Defendant inexcusably waited for almost a year after the Data Breach occurred to notify impacted individuals.”