Conduent Breach Incident Score: Analysis & Impact (CON5792357110725)

In this Rankiteo incident briefing, we review the Conduent breach identified under incident ID CON5792357110725.

The analysis begins with a detailed overview of Conduent's information like the linkedin page: https://www.linkedin.com/company/conduent, the number of followers: 523798, the industry type: IT Services and IT Consulting and the number of employees: 36834 employees

After the initial compromise, the video explains how Rankiteo's incident engine converts technical details into a normalized incident score. The incident score before the incident was 225 and after the incident was 159 with a difference of -66 which is could be a good indicator of the severity and impact of the incident.

In the next step of the video, we will analyze in more details the incident and the impact it had on Conduent and their customers.

Conduent recently reported "Conduent Health Data Breach and F5 Nation-State Hack", a noteworthy cybersecurity incident.

The incident involves two major cybersecurity events: (1) The largest known health data breach of 2025 affecting Conduent, a New Jersey-based business process outsourcing firm, leading to lawsuits and investigations.

The disruption is felt across the environment, and exposing Health data (Conduent breach) and Source code (F5 breach).

Formal response steps have not been shared publicly yet.

The case underscores how Ongoing (Conduent lawsuits and F5 breach response delayed by government shutdown).

Finally, we try to match the incident with the MITRE ATT&CK framework to see if there is any correlation between the incident and the MITRE ATT&CK framework.

The MITRE ATT&CK framework is a knowledge base of techniques and sub-techniques that are used to describe the tactics and procedures of cyber adversaries. It is a powerful tool for understanding the threat landscape and for developing effective defense strategies.

Rankiteo's analysis has identified several MITRE ATT&CK tactics and techniques associated with this incident, each with varying levels of confidence based on available evidence. Under the Initial Access tactic, the analysis identified Exploit Public-Facing Application (T1190) with moderate to high confidence (70%), supported by evidence indicating largest health data breach of 2025 (Conduent), suspected nation-state hack (F5) and Valid Accounts: Cloud Accounts (T1078.004) with moderate confidence (60%), supported by evidence indicating conduent (BPO firm) likely leveraged cloud/outsourced systems for health data access. Under the Collection tactic, the analysis identified Data from Local System (T1005) with high confidence (90%), supported by evidence indicating health data (Conduent) and source code (F5) confirmed compromised. Under the Exfiltration tactic, the analysis identified Exfiltration Over Alternative Protocol: Exfiltration Over Unencrypted/Obfuscated Non-C2 Protocol (T1048.003) with moderate to high confidence (80%), supported by evidence indicating data exfiltration confirmed (F5 source code theft) and Exfiltration Over Command and Control Channel (T1041) with moderate to high confidence (70%), supported by evidence indicating nation-state involvement (F5) suggests C2-based exfiltration. Under the Impact tactic, the analysis identified Data Encrypted for Impact (T1486) with lower confidence (30%), supported by evidence indicating no ransomware confirmed, but data compromise implies potential destructive intent (nation-state) and Inhibit System Recovery (T1490) with lower confidence (40%), supported by evidence indicating federal response delayed by U.S. government shutdown (F5 breach). Under the Credential Access tactic, the analysis identified Credentials from Password Stores: Credentials from Web Browsers (T1555.003) with moderate confidence (50%), supported by evidence indicating nation-state actors (F5) often target credentials; health data breach (Conduent) may involve credential theft. Under the Defense Evasion tactic, the analysis identified Obfuscated Files or Information (T1027) with moderate to high confidence (70%), supported by evidence indicating source code theft (F5) likely involved obfuscation to evade detection and Impair Defenses: Disable or Modify Tools (T1562.001) with moderate confidence (60%), supported by evidence indicating nation-state actors (F5) may have disabled security tools to maintain persistence. Under the Persistence tactic, the analysis identified Account Manipulation: Additional Cloud Credentials (T1098.003) with moderate confidence (60%), supported by evidence indicating conduent (cloud/outsourced health data) may have had cloud credentials manipulated for persistence. Under the Command and Control tactic, the analysis identified Application Layer Protocol: Web Protocols (T1071.001) with moderate to high confidence (80%), supported by evidence indicating nation-state actors (F5) likely used HTTP/HTTPS for C2 communication. These correlations help security teams understand the attack chain and develop appropriate defensive measures based on the observed tactics and techniques.