Despite years of high-profile breaches and regulatory checklists, organizations handling critical data, especially governments and their vendors, continue to drop the ball on basic cloud protections. The recent Conduent ransomware attack, alongside others such as Snowflake, Change Healthcare, and Ingram Micro incidents, lays bare the persistent gaps: misconfigurations, absent MFA, and ignored shared responsibility models that leave sensitive PII, health records, financial details, and even sensitive investigative data from government services, dangling for attackers. We’re not getting this right because compliance often outweighs real security, vendor oversight is at best questionable, and the rush to scale via multi-cloud setups like Azure and OCI amplifies every weak link. While progress like FedRAMP expansions shows improvement, execution lags, especially in complex supply chains.
The Stubborn Vulnerabilities We Keep Ignoring
Look at the patterns, it is often the same playbook every time. Conduent’s Safepay ransomware lurked undetected from October 2024 to January 2025, siphoning 8 TB across hybrid clouds and exposing 25 million people’s SSNs, DOBs, addresses, medical data, and potential sensitive investigative records tied to state programs like child support enforcement or public safety processing. Snowflake’s 2024 UNC5537 crew waltzed in with stolen, unrotated credentials lacking MFA, hitting 165+ customers in both the private and public sectors. Change Healthcare’s BlackCat breach via a misconfigured Citrix portal in cloud-linked systems dumped 192.7 million health records. Ingram Micro lost 3.5 TB to similar SafePay tactics on unpatched APIs.
These aren’t novel exploits; they’re low-hanging fruit. Misconfigured IAM over-permissions open storage buckets. Unpatched APIs and remote access without zero-trust let ransomware pivot laterally. Multi-cloud setups (Azure, OCI) amplify risks without unified controls, though CISA reports 40% agency adoption of zero-trust mitigates some lateral movement. Shared responsibility gaps mean customers skimp on their side, MFA skipped, credentials stale for years, while providers like Snowflake point fingers. Human error fuels 26% of incidents, with 99% of cloud failures traced to customer configs, per IBM’s 2025 data. Yet we deploy BPaaS and CXaaS at scale, multiplying risks across millions without uniform enforcement.
Government Customers
Government entities, tasked with safeguarding citizens’ most sensitive info, fare no better. States like Texas (15.4M affected) and Oregon (10.5M) outsourced benefits, Medicaid, child support, and potentially investigative data handling to Conduent, only to watch hackers feast unchecked for months. Texas AG probes and class actions highlight toothless contracts, no mandated zero-trust, no real-time vendor audits. FedRAMP promises federal cloud rigor with continuous monitoring, but it buckles under third-party chains where agencies enforce little beyond boxes checked.
Post-Change Healthcare hearings exposed “industry standard” lapses like no MFA on portals handling federal reimbursements. Snowflake’s government-adjacent clients repeated the credential sins. CISA preaches zero-trust mandates, yet responses stay reactive: credit monitoring after the fact, $25M in Conduent cleanup costs, eroded public trust. We’re talking critical infrastructure—health claims, tolling, emergency benefits, and sensitive investigative data—where breaches don’t just annoy; they disrupt payments, enable ID theft, and fuel ransomware extortion.
Supply Chain Fragility and Data Concentration
Centralizing data from multiple states in processors like Conduent expands blast radius: one intrusion scales across jurisdictions. Compliance meets audits but misses operational resilience, Conduent’s three-month dwell evaded detection despite oversight. How much of your critical data sits outside direct control, and what real-time visibility exists into its security? This matters for CALEA/GDPR frameworks, where vendor gaps threaten emergency systems.
The Human Cost: Real Risks to Real People
This isn’t abstract. Exposed SSNs spawn phishing barrages, synthetic identities, and loan fraud. Health data from Conduent and Change enables medical ID theft, fake claims racking up bills victims fight for years. Leaked investigative data risks compromising ongoing cases, witness safety, or law enforcement ops if stored in breached government contractor systems. Financial details from Ingram and Snowflake arm targeted scams. For vulnerable populations reliant on government services (Medicaid enrollees, retirees), it’s chaos: delayed benefits, privacy shredded, long-term harms like credit ruin without recourse.
Ransomware doesn’t stop at theft; it encrypts ops, as Ingram’s $136M daily hit showed, cascading to public services. Dark web dumps invite nation-states and crooks alike. And with 25M+ from Conduent alone, potentially the biggest U.S. breach, scale turns individual risks systemic. We’re exposing everyday people, not just elites, because “cloud-native” hype outpaces hygiene.
Vendor Lock-In and the Myth of Multi-Cloud Safety
Multi-cloud was sold as resilience, Azure for contacts, OCI for tolling, Google for eDiscovery, but it fragments controls. Vendor lock-in breeds complacency; third-party access (phishing footholds) scales via APIs. Conduent’s BPaaS funnels risks to clients without baked-in CSPM scanning. No unified zero-trust across providers means gaps persist, even as costs soar.
Breaking the Cycle: Time for Accountability, Not Checklists
FedRAMP and CISA guidelines exist, but execution lags, governments must demand contractual zero-trust proofs, real-time telemetry sharing, and breach penalties. Mandate MFA everywhere, automated config audits, and pen tests pre-deployment. Ditch vendor-blind trust; audit chains end-to-end. Train relentlessly on shared responsibility, because 99% customer failures won’t fix themselves.
Until leaders prioritize security over speed, treating sensitive data as a liability, not an asset, we’ll cycle through megabreaches. The risks to citizens are too grave: not just data loss, but lives upended and investigations jeopardized. Governments outsourcing critical functions owe better than reactive apologies and free credit freezes. Get the basics right, or keep paying the price.
