Ransomware Automotive / Manufacturing · United States · February 2026

Volvo Group North America

Analysis of the Volvo Group breach affecting 17,000 employees via the Conduent/SafePay ransomware supply chain attack.

Records Affected

17,000 employees

Attack Type

Ransomware

Location

United States

Data types exposed

Names Social Security numbers medical information

What Happened

In February 2026, Volvo Group North America disclosed that 17,000 employees were affected as a downstream impact of the Conduent ransomware breach by the SafePay group.
The compromised data includes names, SSNs, and medical information. Volvo only learned of the exposure in January 2026, despite the underlying breach occurring in late 2024.

Timeline

  • October 2024 - January 2025 — SafePay ransomware group compromises Conduent, claiming to have exfiltrated 8.5TB of data
  • January 2026 — Volvo Group North America learns of employee data exposure through Conduent breach
  • February 2026 — Volvo discloses the breach and begins notifying 17,000 affected employees

Impact and Risk Assessment

For Individuals

17,000 Volvo employees had their SSNs and medical information exposed through a third-party service provider breach.
The extended timeline between the breach and notification means affected individuals had no opportunity to take protective action for over a year.

For Organisations

Volvo Group faces the challenge of managing employee trust and response for a breach that originated entirely outside their control.
This incident demonstrates how corporate clients can be swept up in a government contractor breach without direct warning.

Regulatory Context

US state data breach notification laws apply. The extended notification timeline may draw scrutiny regarding contractual obligations between Volvo and Conduent.

What Should You Do?

For Individuals

  • If you are a Volvo Group North America employee, place a fraud alert or credit freeze given the SSN exposure, and take advantage of any credit monitoring offered.

For Security Professionals

  • Ensure your contracts with third-party service providers include meaningful breach notification timelines and security requirements.
  • Map your organisation's data flows through third-party service providers to understand supply chain exposure risk.

Learnings and Recommendations

This incident illustrates how corporate clients can be swept up in a government contractor breach without direct warning. The notification delay highlights the importance of vendor oversight.
Organisations should have contractual requirements for timely breach notification from their service providers.
This advisory summarises a publicly reported cybersecurity incident for educational purposes. Information is sourced from publicly available reports and may include claims that are unverified or disputed. Inclusion does not imply fault or negligence by the affected organisation.
Back to all advisories