Back-office services provider **Conduent** disclosed a cyberattack in January 2025 that exposed data of **10.5 million individuals**, primarily from healthcare insurance clients like **Blue Cross Blue Shield of Montana (462,000 members affected)**. The breach, active from **October 21, 2024, to January 13, 2025**, involved unauthorized access to a 'limited portion' of its IT environment, with attackers exfiltrating files tied to multiple clients. Financial fallout includes **$50 million spent** ($25M on incident response, $25M on breach notifications), alongside **12 class-action lawsuits**, regulatory investigations (e.g., Montana), and warnings of potential **litigation, reputational harm, and regulatory penalties**. The company admitted the attack could adversely impact its financial condition, with ongoing risks from **data theft, legal actions, and operational disruptions**. No ransomware was confirmed, but the scale of exposed **personal and health data** suggests severe long-term consequences for affected individuals and partner organizations.
Source: https://www.bankinfosecurity.com/breach-roundup-uk-probes-chinese-made-electric-buses-a-30029
TPRM report: https://www.rankiteo.com/company/conduent
"id": "con3703037111425",
"linkid": "conduent",
"type": "Breach",
"date": "10/2024",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'industry': 'Transportation',
'location': 'United Kingdom',
'name': 'UK Department for Transport / National Cyber '
'Security Centre',
'type': 'Government'},
{'customers_affected': '2,500+ buses in UK',
'industry': 'Automotive',
'location': 'China',
'name': 'Yutong (bus manufacturer)',
'type': 'Private Company'},
{'industry': 'Various',
'location': 'South Korea',
'name': 'South Korean Android Users (including '
'counselors for North Korean defectors)',
'type': 'Individuals/NGOs'},
{'customers_affected': '10.5 million individuals '
'(healthcare clients)',
'industry': 'Business Services',
'location': 'United States',
'name': 'Conduent Business Solutions',
'type': 'Private Company'},
{'customers_affected': '462,000 members',
'industry': 'Healthcare',
'location': 'United States (Montana)',
'name': 'Blue Cross Blue Shield of Montana',
'type': 'Healthcare Provider'},
{'customers_affected': '2.7 million individuals',
'industry': 'Automotive',
'location': 'United States',
'name': 'Hyundai AutoEver America',
'type': 'Subsidiary'},
{'industry': 'Various',
'location': 'Worldwide',
'name': 'Microsoft Customers',
'type': 'Global'}],
'attack_vector': ['Telematics/Battery Management System Exploitation',
'Social Engineering (KakaoTalk spear-phishing) + Google '
'Find Hub Abuse',
'Network Intrusion (initial vector unspecified)',
'Network Intrusion (initial vector unspecified)',
'N/A (Vulnerability patches)',
'N/A (Framework update)'],
'customer_advisories': ['KakaoTalk security alerts (via Genians)',
'Conduent breach letters + credit monitoring offers',
'Hyundai identity protection services'],
'data_breach': {'data_encryption': [None, None, None, None, None, None],
'data_exfiltration': [None,
None,
'Yes (files exfiltrated)',
'Unconfirmed',
None,
None],
'file_types_exposed': [None, None, None, None, None, None],
'number_of_records_exposed': [None,
None,
'10.5 million',
'2.7 million',
None,
None],
'personally_identifiable_information': [None,
'Yes (via Google '
'accounts)',
'Yes (healthcare PII)',
'Yes (SSNs, driver’s '
'licenses)',
None,
None],
'sensitivity_of_data': [None,
'High (personal + communication data)',
'High (healthcare PII)',
'High (PII)',
None,
None],
'type_of_data_compromised': [None,
'Personal data (remote wipe) + '
'account credentials',
'Client files (healthcare data)',
'PII (names, SSNs, driver’s '
'license numbers)',
None,
None]},
'date_detected': ['2024-07-01 (spear-phishing campaign start)',
'2025-01-13',
'2025-03-01',
'2025-11-01 (Patch Tuesday)'],
'date_publicly_disclosed': ['2024-09-05 (first wipe incident)',
'2025-10-01 (regulatory filing)',
'2025-11-01 (breach notice)',
'2025-11-01 (Patch Tuesday release)',
'2025-11-01 (OWASP update announcement)'],
'date_resolved': ['2025-03-02 (attackers ejected)'],
'description': ['The British government is investigating whether over 2,500 '
'Chinese-manufactured Yutong electric buses in the UK could '
'be remotely disabled via telematics and battery management '
'systems. Norway and Denmark previously discovered similar '
'vulnerabilities, prompting the UK probe. Yutong claims '
'compliance with international cybersecurity standards.',
"North Korean APT group Konni (APT37) abused Google's Find "
'Hub feature to remotely wipe Android devices in South Korea. '
'The campaign involved spear-phishing via KakaoTalk, malware '
'propagation (AutoIt scripts, LilithRAT, RemcosRAT), and two '
'waves of attacks in September 2024. Victims included a '
'counselor for North Korean defectors, with data erased and '
'notifications delayed.',
'Conduent Business Solutions disclosed additional $25M in '
'breach notification expenses (totaling $50M) for a January '
'2025 hack affecting 10.5 million individuals, including '
'healthcare clients like Blue Cross Blue Shield of Montana '
'(462,000 members). Attackers had access from October 21, '
'2024, to January 13, 2025, exfiltrating files. The company '
'faces lawsuits and regulatory investigations.',
'Hyundai AutoEver America detected unauthorized access '
'between February 22 and March 2, 2025, potentially exposing '
'PII (names, SSNs, driver’s license numbers) of 2.7 million '
'individuals. No ransomware group claimed responsibility, and '
'exfiltration remains unconfirmed.',
'Microsoft’s November 2025 Patch Tuesday fixed 63 '
'vulnerabilities, including a zero-day (CVE-2025-62215, '
'Windows Kernel privilege escalation) and five Critical flaws '
'(e.g., CVE-2025-62199 in Office enabling RCE). Most patches '
'addressed elevation-of-privilege issues in components like '
'Smart Card and Kerberos.',
"OWASP added 'Software Supply Chain Failures' and 'Continuous "
"Vulnerability Disclosure Failures' to its Top 10 web app "
'vulnerabilities. The update emphasizes root causes over '
'symptoms, reflecting modern software development risks like '
'dependency management gaps and inconsistent disclosure '
'processes.'],
'impact': {'brand_reputation_impact': ['Potential distrust in '
'Chinese-manufactured vehicles',
'Erosion of trust in Google/KakaoTalk '
'security',
'Reputational harm (healthcare sector)',
'Reputational risk (automotive sector)',
None,
None],
'conversion_rate_impact': [None, None, None, None, None, None],
'customer_complaints': [None,
None,
'Class action lawsuits (12+ proposed)',
None,
None,
None],
'data_compromised': [None,
'Personal data (remote wipe) + KakaoTalk '
'account hijacking',
'Files associated with healthcare clients '
'(10.5M individuals)',
'PII (names, SSNs, driver’s license numbers) '
'of 2.7M individuals',
None,
None],
'downtime': [None,
None,
'Oct 21, 2024 – Jan 13, 2025 (access period)',
'Feb 22 – Mar 2, 2025 (access period)',
None,
None],
'financial_loss': [None,
None,
'$50 million (incident response + '
'notifications)',
None,
None,
None],
'identity_theft_risk': [None,
None,
'High (10.5M individuals)',
'High (2.7M individuals)',
None,
None],
'legal_liabilities': [None,
None,
'Regulatory investigations (e.g., Montana) + '
'lawsuits',
None,
None,
None],
'operational_impact': ['Potential remote disablement of buses',
'Disrupted communications (KakaoTalk) + '
'data loss',
'Operational disruption (Jan 13, 2025)',
None,
None,
None],
'payment_information_risk': [None, None, None, None, None, None],
'revenue_loss': [None,
None,
'Potential (litigation, reputational harm)',
None,
None,
None],
'systems_affected': ['2,500+ Yutong electric buses (UK)',
'Android devices (South Korea, including '
'smartphones/tablets)',
'Conduent IT environment (limited portion)',
'Hyundai AutoEver America systems',
'Windows, Office, Azure, Visual Studio, etc.',
None]},
'initial_access_broker': {'backdoors_established': [None,
None,
None,
None,
None,
None],
'data_sold_on_dark_web': [None,
None,
None,
None,
None,
None],
'entry_point': [None,
'KakaoTalk spear-phishing',
None,
None,
None,
None],
'high_value_targets': [None,
'North Korean defectors’ '
'counselors',
'Healthcare insurance data',
None,
None,
None],
'reconnaissance_period': [None,
'July 2024 (phishing '
'campaign start)',
None,
None,
None,
None]},
'investigation_status': ['Ongoing (UK probe)',
'Attributed to Konni/APT37 (Genians)',
'Ongoing (litigation/regulatory)',
'Disclosed (no further updates)',
'Patches released',
'Framework published'],
'lessons_learned': ['Supply chain risks in IoT/vehicle telematics require '
'stricter oversight.',
'Legitimate device-management features (e.g., Find Hub) '
'can be weaponized; MFA and behavioral monitoring are '
'critical.',
'Prolonged network access (3+ months) underscores need '
'for continuous threat detection and faster incident '
'response.',
'Unconfirmed exfiltration highlights challenges in breach '
'attribution and impact assessment.',
'Zero-day exploitation (CVE-2025-62215) reinforces '
'urgency of patch management for privilege escalation '
'flaws.',
'Supply chain and vulnerability disclosure gaps demand '
'proactive dependency management and transparent '
'reporting.'],
'motivation': ['Potential state-sponsored sabotage (unconfirmed)',
'Espionage (targeting defectors and South Korean entities)',
'Financial gain (data theft) / Unknown',
'Unknown (potentially data theft)',
'N/A',
'N/A'],
'post_incident_analysis': {'corrective_actions': ['UK may impose '
'cybersecurity requirements '
'for Chinese-manufactured '
'vehicles.',
'Google/KakaoTalk may '
'restrict Find Hub access; '
'South Korea to enhance APT '
'defenses.',
'Conduent investing in EDR '
'and incident response '
'playbooks.',
'Hyundai reviewing PII '
'access controls and '
'logging.',
'Microsoft urges immediate '
'patching for '
'CVE-2025-62215.',
'OWASP recommends SBOM '
'adoption and automated '
'disclosure workflows.'],
'root_causes': ['Lack of supply chain '
'cybersecurity standards for '
'vehicle telematics.',
'Over-reliance on single-factor '
'authentication (Google accounts) '
'+ abuse of legitimate tools (Find '
'Hub).',
'Inadequate network segmentation '
'allowing 3-month dwell time.',
'Unspecified initial access vector '
'(potential unpatched '
'vulnerability).',
'Race condition in Windows Kernel '
'(CVE-2025-62215).',
'Gaps in dependency tracking and '
'vulnerability disclosure '
'processes.']},
'ransomware': {'data_encryption': [None, None, None, None, None, None],
'data_exfiltration': [None, None, None, None, None, None],
'ransom_demanded': [None, None, None, None, None, None],
'ransom_paid': [None, None, None, None, None, None],
'ransomware_strain': [None, None, None, None, None, None]},
'recommendations': ['Mandate third-party audits for IoT/vehicle remote-access '
'capabilities; enforce air-gapped controls for critical '
'functions.',
'Disable or restrict Google Find Hub for high-risk users; '
'implement hardware-based authentication for account '
'recovery.',
'Enhance EDR/XDR to detect lateral movement; conduct '
'tabletop exercises for healthcare data breaches.',
'Deploy endpoint detection for PII access anomalies; '
'offer credit monitoring to affected individuals.',
'Prioritize patching for elevation-of-privilege '
'vulnerabilities; test mitigations for use-after-free '
'flaws in Office.',
'Adopt SBOMs for software supply chains; automate '
'vulnerability disclosure workflows with SLAs.'],
'references': [{'source': 'The Guardian'},
{'source': 'Genians (via ISMG)'},
{'date_accessed': '2025-10-01',
'source': 'Conduent Regulatory Filing'},
{'date_accessed': '2025-11-01',
'source': 'Hyundai AutoEver America Breach Notice'},
{'date_accessed': '2025-11-01',
'source': 'Microsoft Security Update Guide',
'url': 'https://msrc.microsoft.com/update-guide'},
{'date_accessed': '2025-11-01',
'source': 'OWASP Top 10 2025',
'url': 'https://owasp.org/www-project-top-ten/'},
{'date_accessed': '2025-11-01',
'source': 'ISMG Breach Roundup',
'url': 'https://www.ismg.com'}],
'regulatory_compliance': {'fines_imposed': [None,
None,
None,
None,
None,
None],
'legal_actions': [None,
None,
'12+ class action lawsuits + '
'state investigations (e.g., '
'Montana)',
None,
None,
None],
'regulations_violated': [None,
None,
'Potential HIPAA '
'(healthcare data)',
None,
None,
None],
'regulatory_notifications': [None,
None,
'Yes (e.g., Montana '
'BCBS disclosure)',
'Breach notices',
None,
None]},
'response': {'adaptive_behavioral_waf': [None, None, None, None, None, None],
'communication_strategy': ['Public probe announcement (The '
'Guardian)',
'Genians public report',
'Regulatory filings + breach '
'notifications',
'Breach disclosure',
'Patch Tuesday bulletin',
'OWASP announcement'],
'containment_measures': [None,
None,
'Attackers ejected (Jan 13, 2025)',
'Attackers ejected (Mar 2, 2025)',
None,
None],
'enhanced_monitoring': [None, None, None, None, None, None],
'incident_response_plan_activated': ['Yes (UK DfT + NCSC probe)',
None,
'Yes (Conduent)',
'Yes (Hyundai)',
'Yes (Microsoft Patch '
'Tuesday)',
None],
'law_enforcement_notified': [None, None, None, None, None, None],
'network_segmentation': [None, None, None, None, None, None],
'on_demand_scrubbing_services': [None,
None,
None,
None,
None,
None],
'recovery_measures': [None, None, None, None, None, None],
'remediation_measures': ['Investigation ongoing',
None,
'Breach notifications + '
'legal/regulatory responses',
'Data breach notices',
'Security patches deployed',
None],
'third_party_assistance': [None,
'Genians (cybersecurity firm, '
'attributed attack)',
None,
None,
None,
None]},
'stakeholder_advisories': ['UK DfT/NCSC warnings to transport operators',
'Genians advisory to South Korean organizations',
'Conduent notifications to healthcare clients',
'Hyundai notices to affected individuals',
'Microsoft guidance for sysadmins',
'OWASP guidance for developers'],
'threat_actor': ['Konni (APT37, TA406, Thallium) under Kimsuky umbrella'],
'title': ['UK Probes Whether Chinese-Made Electric Buses Can Be Remotely '
'Disabled',
'North Korean Hackers Remotely Wipe Android Devices in South Korea',
'Conduent Updates Cost of January 2025 Cyberattack to $50 Million',
'Hyundai Discloses Data Breach Affecting 2.7 Million Individuals',
'Microsoft November Patch Tuesday Addresses 63 Vulnerabilities, '
'Including Zero-Day',
'OWASP Updates Top 10 Web Application Vulnerabilities with Two New '
'Categories'],
'type': ['Supply Chain Risk / Remote Access Vulnerability',
'Cyber Espionage / Remote Wipe Attack',
'Data Breach / Unauthorized Access',
'Data Breach / Unauthorized Access',
'Vulnerability Disclosure / Patch Management',
'Vulnerability Framework Update'],
'vulnerability_exploited': ['Remote-access features in Yutong buses '
'(SIM-enabled systems)',
'Google Find Hub (legitimate feature abused for '
'remote wipe)',
['CVE-2025-62215 (Windows Kernel EoP)',
'CVE-2025-62199 (Office RCE)',
'CVE-2025-60716 (DirectX LPE)',
'CVE-2025-60724 (GDI+ RCE)',
'CVE-2025-62214 (Visual Studio command '
'injection)']]}