Cyber Threat Actor: Safeway
| Actor Type | Location | Known Incidents |
Criminal
|
—
|
1 incident |
|---|
Profile
Safeway is a threat actor known for conducting ransomware operations targeting entities handling sensitive personal data. The group's activities have impacted government contractors and organizations managing large-scale healthcare information systems. Public reporting attributes a significant 2025 ransomware attack against Conduent, a government technology contractor servicing multiple U.S. states including Texas and Oregon, to this actor. The incident resulted in widespread data theft affecting millions of Americans, with compromised records containing Social Security numbers, medical histories, and health insurance details.
The group demonstrates a focus on exfiltrating substantial volumes of sensitive data to support extortion demands, claiming theft of over 8 terabytes in the Conduent breach. Their operations cause tangible operational disruptions, as evidenced by service outages following the attack. Safeway targets organizations managing government healthcare programs and corporate client data, indicating strategic selection of victims with high-pressure compliance incentives. The actor leverages ransomware deployment alongside data theft, though specific malware families and initial access vectors remain undisclosed in available reporting. No publicly verifiable attribution to state actors or criminal consortiums exists for this group based on current disclosures. The Conduent breach exemplifies their operational impact, requiring extended victim notification periods due to the breach's expanding scope and unconfirmed total victim count.
