Cyber Incident Victim: Conduent
Date:
May 2020
Location:
United States of America
Summary
Maze ransomware operators breached a major business services firm, stealing unencrypted files before encrypting devices and threatening public data release. The attackers leaked approximately 1GB of compromised financial spreadsheets, customer audits, invoices, and compliance documents as proof. The company confirmed a ransomware incident causing a 10-hour service disruption primarily affecting European operations, with systems restored shortly afterward. Forensic investigations suggested potential exploitation of a critical Citrix Netscaler vulnerability (CVE-2019-19781) that had been unpatched for weeks prior, though this entry point wasn't definitively confirmed. The data theft necessitated breach disclosures to affected clients and employees due to sensitive information exposure.
| CIA Posture | Motives | Tactics, Techniques & Procedures |
|---|---|---|
| Available to members | 1 motive | 1 technique |
| Threat Actor | Type | Location |
|---|---|---|
| 1 actor | Available to members | Available to members |
Description
On May 29, 2020, business services firm Conduent experienced a ransomware attack impacting its European operations, first detected at 12:45 AM CET. The Maze ransomware group claimed responsibility for the breach, asserting they had infiltrated Conduent's network earlier in May 2020. Maze operators followed their standard tactic of exfiltrating unencrypted files before deploying ransomware encryption across devices. As evidence, Maze publicly released approximately 1GB of stolen data labeled 'BusinessIntelligence.zip' and 'Compliance1.zip,' containing financial spreadsheets, customer audits, invoices, commission statements, and miscellaneous documents. This data leak compelled Conduent to disclose the incident as a breach affecting clients and employees. The company confirmed the ransomware disrupted services for approximately 10 hours, with systems mostly restored by 10:00 AM CET that day and fully restored afterward. Conduent activated cybersecurity protocols to contain the attack and engaged internal and external forensic teams alongside antivirus experts to investigate and monitor European infrastructure.
Threat intelligence firm Bad Packets reported that Conduent had operated vulnerable Citrix NetScaler gateways (CVE-2019-19781) for at least eight weeks between December 17, 2019, and February 14, 2020. This critical vulnerability, patched by Citrix in January 2020, enabled remote code execution and was historically exploited by attackers to deploy ransomware. Maze operators were known to leverage such vulnerabilities for network access, as seen in their April 2020 breach of Cognizant, where Bad Packets similarly identified exposed Citrix systems. While Conduent’s statement did not confirm the Citrix flaw as the attack vector, the alignment of timelines and Maze’s tactics suggested a plausible entry point. The incident caused partial service interruptions for some clients, though Conduent emphasized operational restoration and ongoing forensic reviews. Maze’s data leak strategy intensified pressure on the company to address potential regulatory and reputational repercussions from the exposure of sensitive business documents.