News that Volvo Group North America reported they were compromised in the unfolding Conduent ransomware incident shined a light on how long third-party breach cases take to unravel.While much of the recent reporting focused on Volvo and the jump in the number of users exposed from 10 million to 25 million, closer inspection found that some important healthcare and government agencies were affected. A simple AI search by SC Media found the following cases involving Conduent from last fall — well before the Volvo breach was reported:Conduent formally reported to the Securities and Exchange Commission in April 2025 that it first learned of the third-party breach on its systems on Jan. 13, 2025. A month later in February 2025, the SafePay ransomware group took credit for the attack on Conduent.An investigation by Conduent determined that the hackers had access to Conduent’s environment from Oct. 21, 2024, to Jan. 13, 2025, and obtained the following personal information: names, addresses, SSNs, dates of birth, health insurance data, and medical information.Late last month, Volvo Group North America told the Maine Attorney General that nearly 17,000 employees were affected and Volvo apparently only learned about the cyber incident in January 2026.
Related reading:
John Carberry, solution sleuth at Xcape, Inc, said news that nearly 17,000 Volvo employees were affected by the massive Conduent data breach highlighted a persistent issue: the "notification lag" within third-party supply chains.Carberry said while Conduent identified the SafePay ransomware attack in January 2025, it took Volvo an entire year to verify that its employee data was part of the 8 terabytes stolen. This delay frequently gets attributed to the arduous process of "data mining" vast amounts of unstructured files, said Carberry.“Nevertheless, ‘it takes time’ should not serve as a sweeping justification for sustained secrecy,” said Carberry. “In the current threat environment, prompt detection and swift, open communication are no longer just ideal practices, but fundamental requirements that are often enforced by regulation.”Chen Burshan, chief executive officer of Skyhawk Security, said in third-party incidents like the one involving Conduent and Volvo Group North America, vendors need time to confirm which customers were actually impacted, and complex environments make scoping and tracing difficult.Burshan said companies face a twofold challenge: Before a breach, they need to focus on real exposures. When there are so many alerts, it’s hard to know what’s weaponized and prioritize the 1% that matters. After a breach, attackers try to stay undetected, so it comes down to compensating controls and whether the SOC understands what alerts mean and how to respond.“Responsible disclosure doesn’t require perfect answers on Day 1,” said Burshan. “It requires timely, good-faith communication: an early ‘you may be affected’ notice as soon as there’s credible risk, followed by iterative updates as the investigation matures, ideally backed by clear notification SLAs and shared incident-response workflows."Carberry said the important takeaway here for security teams: depending on a vendor's notification is an ineffective approach: Organizations must consider major data aggregators like Conduent as critical Tier-0 risks and insist on real-time, API-driven access to their security data. While existing legal loopholes in notification requirements are shrinking in some states, such as the new 30-day mandates like California's SB 446, Carberry said legal timelines still lag behind the speed of cyberattacks.“Until we shift from a ‘forensic-first to a ‘disclosure-first’ approach, employees will continue to receive information long after the breach has occurred,” said Carberry. “Breaches don't sleep and neither should notifications.”
- Premera Blue Cross: Confirmed its impact in October 2025.
- Blue Cross and Blue Shield (BCBS): Multiple state branches, including BCBS of Texas, BCBS of Montana, and BCBS of Illinois, were confirmed in October and November 2025.
- Government agencies: Various state agencies, such as the Wisconsin Department of Children and Families and the Wisconsin Child Support Trust Fund, were linked to the breach throughout 2025.





