Conduent Data Breach Now Largest in U.S. History

Conduent Data Breach Becomes Largest in U.S. History After Ransomware Group Steals 8 TB

Conduent Business Services, LLC, a key government technology contractor handling payments, healthcare claims, and back-office tasks, faces massive fallout from a cyber breach.

Notification letters started arriving this month to millions of affected Americans. An unauthorized intruder accessed systems from October 21, 2024, to January 13, 2025, stealing files with personal data for tens of millions.

Conduent’s April 2025 SEC filing first revealed the incident, but recent state reports show wider impact: 15.4 million in Texas alone (up from 4 million initially), 10.5 million in Oregon, and more elsewhere.

Estimates now top 25 million victims, ranking it among 2025’s biggest breaches, though smaller than Change Healthcare’s 193 million cases in 2024.

Ransomware Group Claims Responsibility

The Safepay ransomware group took credit on its dark web leak site in early 2025. It boasted of exfiltrating over 8 terabytes, some posts claim 8.5 TB of sensitive data, including names, Social Security numbers, addresses, medical histories, and health insurance details.

Over 12 Million Users Impacted by CarGurus Data Breach

More than 12 million users have been affected by a data breach at automotive research and shopping website CarGurus.

The incident was disclosed last week, when the infamous extortion group ShinyHunters added CarGurus to its Tor-based leak site, claiming the theft of personally identifiable information (PII) and internal corporate data.

Initially, the hackers said they stole 1.7 million records from the company, but have since leaked a 6.1GB archive that contains information pertaining to approximately 12.5 million accounts.

The compromised information, data breach notification website Have I Been Pwned says, includes names, addresses, email addresses, phone numbers, and IP addresses.

“Following an attempted extortion, the data was published publicly and contained more than 12M email addresses across multiple files, including user account ID mappings, finance pre-qualification application data, and dealer account and subscription information,” the breach notification service says.

Threat groups move at record speeds, as AI helps scale attacks

Threat actors are using AI to add speed and scale to their hacking toolkits and setting records for attack speeds that increasingly outpace security teams, according to a report released Tuesday from CrowdStrike.

The average e-crime breakout reached 29 minutes in 2025, a 65% increase in speed from the prior year, according to the report. The fastest observed breakout time in 2025 was only 27 seconds, compared with 51 seconds the prior year.

Researchers define breakout time as the period between initial intrusion until an adversary is able to move onto another system. In one particular case, hackers were able to exfiltrate data within four minutes of gaining initial access.

…

Threat groups are also abusing legitimate AI tools as part of their attacks. About 90 organizations were impacted by hackers dropping malicious prompts into these tools in order to steal credentials or steal cryptocurrency.

Boards don’t need cyber metrics — they need risk signals

Security teams live in a world of numbers. Dashboards depict counts of blocked attacks, phishing clicks, vulnerabilities discovered, patches applied, alerts triaged, and incidents closed. Over the past decade, the cybersecurity industry has become adept at measuring activity with increasing precision.

Experts say what remains far less consistent is whether those measurements help boards govern risk. For directors and senior executives, the purpose of security metrics reporting is not to catalog effort. It is to understand exposure, trajectory, and consequence.

Decision-makers want to know whether risk is increasing or decreasing, whether controls are effective, and whether the organization can limit damage when prevention fails. Metrics are therefore useful when they clarify those questions.

“Time is really the universal metric because everyone can understand time,” Richard Bejtlich, strategist and author in residence at Corelight, tells CSO. “How fast do we detect problems, and how fast do we contain them. Dwell time, containment time. That’s the whole game for me.”

‘Starkiller’ Phishing Service Proxies Real Login Pages, MFA

Most phishing websites are little more than static copies of login pages for popular online destinations, and they are often quickly taken down by anti-abuse activists and security firms. But a stealthy new phishing-as-a-service offering lets customers sidestep both of these pitfalls: It uses cleverly disguised links to load the target brand’s real website, and then acts as a relay between the victim and the legitimate site — forwarding the victim’s username, password and multi-factor authentication (MFA) code to the legitimate site and returning its responses.

There are countless phishing kits that would-be scammers can use to get started, but successfully wielding them requires some modicum of skill in configuring servers, domain names, certificates, proxy services, and other repetitive tech drudgery. Enter Starkiller, a new phishing service that dynamically loads a live copy of the real login page and records everything the user types, proxying the data from the legitimate site back to the victim.

Ex-L3Harris exec jailed for selling zero-days to Russian exploit broker

The former head of Trenchant, a specialized U.S. defense contractor unit, was sentenced Tuesday to more than seven years in federal prison for stealing and selling zero-day exploits to a Russian broker whose clients include the Russian government.

39-year-old Australian national Peter Williams served as the general manager of Trenchant, a cybersecurity unit of defense contractor L3Harris that develops surveillance tools and zero-day exploits for the U.S. government and its Five Eyes intelligence partners.

Between 2022 and 2025, Williams stole at least eight protected exploit components intended for the exclusive use of the U.S. government and its allies and sold them to the Matrix Russian exploit broker (doing business as Operation Zero), which advertises itself as a reseller of hacking tools to non-NATO buyers.

Williams used a portable external hard drive to transfer the exploits out of secure networks at Trenchant's offices in Sydney and Washington, D.C., before sending the stolen tools to the broker via encrypted channels.

Prosecutors said that the theft caused $35 million in losses to L3Harris and that the stolen tools could have enabled access to millions of devices worldwide.