Volvo Group North America has been identified as one of several major companies impacted by a recent data breach at HR outsourcing provider Conduent. Conduent detected an intrusion on its network on January 13, 2025, and an investigation revealed that the hackers had access to its network since mid-October.
The attackers obtained personal information such as names, addresses, SSNs, dates of birth, health insurance data, and medical information.
In recent notifications sent to impacted individuals on behalf of Volvo Group, Conduent indicated that it provides printing/mailroom, document processing, payment integrity, and other back-office support services to the companies affected by the data breach. In the case of Volvo Group, the company told the Maine Attorney General that almost 17,000 employees are affected.
Volvo appears to have learned about the incident only last month.
Based on data breach notifications submitted by Conduent, the incident appeared to impact roughly 10 million individuals. However, recent updates shared by the company indicate that the data breach affects more than twice as many people as initially believed.
Several key industry stakeholders have weighed in on the breach.
Trey Ford, Chief Strategy and Trust Officer at Bugcrowd
"Third party risk management (TPRM) is a fascinatingly difficult space, there are so many layers under this ‘trust but verify’ body of work. Historically third party diligence was tied to a rather offensive questionnaire sent to providers when a standardized third party audit report (think SOC2, ISO27000-series, etc) were not available.
"We’ve seen shifts toward trust dashboards and on-demand access for customers and prospects, where increasing levels of transparency are available for those with an NDA in place and a business need to know.
"Companies structure their TPRM programs based on the type of service provided, and data accessed, by those vendors. Of note - while the vendor was breached, it’s the larger customer logo named in headlines.
"CISOs walk a tight rope when managing this vendor diligence - we all deal with inbound security diligence requests, and we feel the burden of taxing our constrained resources responding to inquiries when they COULD be focused on improving security posture in service of ALL customers. From a technical perspective, access patterns for the non-human accounts used by these third parties are just as important as the operating model and architecture of the vendor’s service delivery.
"Ultimately, sunshine is the best disinfectant. Working with customers in a high trust, high transparency model enables them to both defend themselves from vendor issues, while collaborating on security prioritization for the business. The North Star in all of TPRM is finding a way that is both highly efficient (protecting resource focus), and highly transparent (enabling customers to get the answers they need)."
Agnidipta Sarkar, Chief Evangelist at ColorTokens
"Of the many reasons why companies take so long to learn of a hack, here are the top three.
- "Companies do not monitor metrics for breach readiness because only a handful of cybersecurity technology companies view cybersecurity operations through the lens of being breach ready. This means that the number of open exploitable ports, applications configured to accept unencrypted incoming requests, or identities no longer connected to a human go unnoticed. And attackers love to use these to bypass existing security controls.
- "Attackers also tend to become dormant for long periods because they change too. Some go out of business, some reorganize themselves, while others procure these opportunities from marketplaces. And this means long periods of silence.
- "Finally, tools to detect anomalous user, application, and connection behavior remain very niche and costly to manage due to the high number of false positives."
Heath Renfrow, Co-Founder and CISO at Fenix24
"Large third-party breaches like the Conduent incident highlight one of the most persistent realities in cybersecurity: discovery and disclosure timelines are often misaligned with public expectations.
"There are several reasons notification can take months. First, most organizations don’t initially know the full scope of compromise. In modern attacks, especially those involving large service providers, threat actors often move laterally across environments, access backup systems, or stage data over time.
"Determining exactly what was accessed, whose data was affected, and whether it was actually exfiltrated requires deep forensic review. That includes log reconstruction, endpoint analysis, cloud telemetry, and third-party validation.
"Second, in cases involving service providers, the breach chain is layered. Conduent may serve hundreds of customers. Each affected customer, like Volvo, must be individually notified once impact is confirmed. That confirmation process requires correlating systems, contractual boundaries, and data ownership. It’s not as simple as flipping a switch.
"That said, the real issue isn’t whether investigations take time because they do. The bigger question is why organizations are still so dependent on manual forensic processes to determine blast radius. In 2026, we should not be relying on weeks or months of log reconstruction to answer basic impact questions.
"If this were one of our customers, the focus would be on two priorities immediately:
- Containment and recoverability — ensuring operational resilience.
- Real-time impact mapping — identifying exposed data sets quickly using validated asset inventories and dependency mapping.
"The reason delays remain 'acceptable' from a regulatory standpoint is that most state notification laws are written around “after reasonable investigation.” But reasonable investigation in many environments still means fragmented logging, siloed visibility, and incomplete data lineage.
"Until organizations invest in continuous visibility, such as knowing in near real-time what data exists, where it flows, and who has access, these long notification timelines will continue. The uncomfortable truth is this: prevention will never be perfect. But rapid scope determination and resilient recovery are controllable variables. Companies that build for resilience shorten both downtime and disclosure uncertainty."
