It is being called one of the largest data breaches in U.S. history by volume. In February 2026, the business process services giant Conduent revealed a catastrophic intrusion: unauthorized actors had exfiltrated over 8.5 terabytes of sensitive data over a three-month period. The perpetrators? A relatively new, aggressive ransomware cartel calling themselves SafePay.

This wasn’t just another corporate hack. Conduent processes transactions for the majority of U.S. states, handles toll systems, and manages HR benefits for nearly half of the Fortune 100. When Conduent bleeds, the entire American infrastructure ecosystem bleeds with it. This article dissects the anatomy of the Conduent breach, analyzes the technical sophistication of the SafePay group, and explores why 2026 is becoming the year of the „Mega-Exfiltration.“

The Target: Who is Conduent?

Spinning off from Xerox in 2017, Conduent became a backend behemoth. They are the invisible gears turning behind government agencies and global corporations. From processing Medicaid claims to managing E-ZPass tolling, their servers hold a digital mirror of American life. This concentration of data made them a „crown jewel“ target for ransomware operators.

The Attack: A Three-Month Siege

According to forensic reports and claims from the SafePay group, the intrusion began months before the encryption event. This dwell time—the period between initial compromise and detection—allowed attackers to map the network, escalate privileges, and identify the most valuable data repositories.

Initial Access and Persistence

While the exact patient zero has not been officially confirmed, threat intelligence suggests SafePay utilized compromised credentials for a Citrix gateway that lacked multi-factor authentication (MFA). This „Living off the Land“ (LotL) approach allowed them to blend in with legitimate administrative traffic.

Once inside, SafePay operators demonstrated patience. Instead of immediately deploying ransomware, they established persistence using legitimate remote monitoring and management (RMM) tools already present in the Conduent environment. This technique, known as „Bring Your Own Vulnerable Driver“ (BYOVD) in some variations, helps bypass Endpoint Detection and Response (EDR) systems by using signed, trusted binaries.

The Exfiltration Phase

The sheer scale of the theft—8.5 terabytes—is staggering. Exfiltrating that amount of data without triggering network traffic alarms requires sophistication. SafePay reportedly used custom scripts to throttle data transfer during business hours and ramp up during nights and weekends, mimicking backup traffic patterns.

Who is SafePay?

SafePay is a rebranding or splinter group from the chaotic ransomware landscape of 2025. Technical analysis of their encryptor reveals DNA shared with older strains like BlackCat (ALPHV) and DarkSide.

The Cyrillic Kill-Switch

Security researchers at ThreatLocker analyzed a sample of the SafePay malware and discovered a distinct „kill-switch“: the malware checks the system’s language settings before executing. If it detects Russian, Ukrainian, Belarusian, or other specific Cyrillic keyboard layouts, it terminates immediately. This strongly suggests the operators are based in the Commonwealth of Independent States (CIS) and are adhering to the unwritten rule of Russian cybercrime: „Don’t eat where you sh*t.“

The Fallout: A Supply Chain Nightmare

The impact of the Conduent breach extends far beyond the company itself. Because Conduent acts as a data processor for hundreds of other organizations, this is a classic supply chain catastrophe.

• HIPAA Impact: Millions of patient records from client healthcare providers are potentially compromised.
• Government Data: State agencies relying on Conduent for benefit processing face identity theft risks for citizens.
• Financial Exposure: The 8TB dump reportedly includes invoices, contract details, and bank account information for Fortune 500 clients.

The Texas Attorney General has already launched an investigation, citing the exposure of over 25 million individuals. This regulatory pressure will likely lead to massive fines and mandatory security overhauls.

Lessons for the Blue Team

The Conduent breach reinforces several hard truths about modern defense:

1. MFA is Non-Negotiable

If the initial vector was indeed a lack of MFA on remote access points, this was a preventable tragedy. Every external-facing service must be MFA-protected, preferably with FIDO2 hardware keys that resist phishing.

2. Egress Filtering Matters

How does 8.5 TB of data leave a network unnoticed? Organizations often focus heavily on ingress filtering (blocking bad stuff from coming in) but neglect egress filtering (blocking unauthorized data from going out). Strict monitoring of outbound traffic volume and destination IPs is critical for detecting exfiltration.

3. The Danger of Long Dwell Times

A three-month dwell time indicates a failure in continuous monitoring. Threat hunting—proactively searching for intruders who have already bypassed defenses—must be a regular practice. Relying solely on alerts is insufficient against patient adversaries like SafePay.

Conclusion

The Conduent breach is a grim reminder that in the interconnected digital economy, risk is transitive. You can have world-class security, but if your payroll processor or cloud provider leaves the back door open, you are compromised. As SafePay and similar groups continue to industrialize data theft, the focus must shift from just preventing encryption to detecting and stopping the silent exfiltration that precedes it. Data is the new oil, and right now, the pipelines are leaking.