The Conduent Breach Hit 25 Million People — Trade Show Organizers Are Sitting on the Same Kind of Data

The numbers keep climbing. What government technology giant Conduent initially described as a limited cybersecurity incident from January 2025 has ballooned into one of the largest data breaches in American history. As of this week, the confirmed victim count has surpassed 25 million people across multiple states — 15.4 million in Texas alone, accounting for roughly half the state's population. The stolen data includes names, Social Security numbers, medical records, and health insurance information. At least ten federal class action lawsuits have been filed. The notification process is still ongoing.

This is a catastrophic event for Conduent and the government agencies that entrusted it with citizen data. But for the trade show and exhibition industry, the Conduent breach should function as something more urgent than a cautionary tale in someone else's sector. It should function as a mirror.

The Data Trade Shows Collect Is More Sensitive Than You Think

Every major trade show is a data collection operation. Registration systems capture names, email addresses, phone numbers, company names, job titles, and mailing addresses. Payment systems process credit card information for booth purchases, sponsorships, and registration fees. Badge scanning systems — used by hundreds of exhibitors across the show floor — capture attendee movements, booth visit histories, and contact details that are exported to CRM systems after the event.

At a large show with 50,000 attendees and 2,000 exhibitors, the total data footprint is enormous. The registration database alone contains personally identifiable information on every attendee. The exhibitor portal holds company financial data, payment credentials, and contractual information. The lead retrieval system creates a behavioral map of every attendee's movements across the show floor, linked to their identity.

A major trade show's data infrastructure handles the same categories of sensitive information that made the Conduent breach so devastating: identity data, financial data, and behavioral data tied to real individuals. The difference is that most trade show organizations invest a fraction of what a government contractor does in cybersecurity.

And that fraction may not be much consolation. Conduent reportedly spent significant resources on its cybersecurity posture and still suffered unauthorized access that persisted for nearly three months — from October 2024 to January 2025 — before detection. If a company whose core business involves handling sensitive government data can be compromised this thoroughly, the question every trade show organizer should be asking is not whether their systems could be breached, but what they are doing to minimize the blast radius when they are.

The Regulatory Walls Are Closing In

The Conduent breach has intensified regulatory scrutiny on any organization that handles large volumes of personal data. State attorneys general across the country are investigating. The European Commission's AI transparency code, finalized this month, adds new requirements for how automated systems process personal information. And the patchwork of U.S. state privacy laws — now active in over 15 states — means that a trade show operating in different venues across the country may face different notification requirements, retention limits, and consent obligations depending on where the event is held and where attendees reside.

For international trade shows, the picture is even more complex. GDPR enforcement in Europe has only accelerated, with regulators increasingly willing to impose substantial fines on organizations that fail to demonstrate adequate data protection practices. A European trade show that collects attendee data from 30 countries and shares that data with exhibitors through a lead retrieval platform is operating a cross-border data processing operation that would make a privacy lawyer reach for a very thick stack of compliance forms.

The exhibition industry has historically operated with a relatively light regulatory touch on data practices. That era is ending. The Conduent breach — and the class action litigation it has generated — establishes a clear precedent: organizations that collect personal data at scale and fail to protect it adequately will face both legal liability and reputational destruction.

What Exhibitors Should Demand from Organizers

If you are an exhibitor investing significant resources in a trade show, the security of the event's data infrastructure is now a legitimate due diligence question — not a technical detail you leave to someone else. Here is what to look for and what to ask:

• Ask about the registration platform's security posture. Is attendee data encrypted at rest and in transit? Where are the servers located? What certifications does the platform hold (SOC 2, ISO 27001)? If the organizer cannot answer these questions, that is itself an answer.
• Understand the lead retrieval data flow. When you scan a badge at your booth, where does that data go? Who has access? How long is it retained on the organizer's systems? Many exhibitors assume the data goes directly to their CRM — in reality, it often passes through multiple third-party systems, each representing an additional attack surface.
• Review the event's data processing agreement. Under GDPR and many U.S. state privacy laws, the organizer is a data controller and exhibitors who receive attendee data are data processors (or joint controllers). This creates legal obligations for both parties. If the event does not have a formal data processing agreement, it is operating outside regulatory compliance in most jurisdictions.
• Limit the data you collect to what you actually need. The most effective data security measure is data minimization. If you do not need an attendee's phone number to follow up, do not collect it. Every additional data field you capture increases your liability and the potential damage from a breach.

What Organizers Must Do Now

For trade show organizers, the Conduent breach should trigger an immediate review of data security practices across the entire event technology stack. The following steps are not optional in the current regulatory and threat environment:

• Conduct a formal data audit. Map every system that touches attendee or exhibitor data: registration, payment processing, badge printing, lead retrieval, mobile apps, Wi-Fi analytics, session tracking, survey platforms. For each system, document what data is collected, where it is stored, who has access, and what security controls are in place.
• Implement breach response planning. The difference between a manageable incident and a Conduent-scale catastrophe often comes down to detection speed and response preparedness. Conduent's breach persisted for nearly three months before discovery. A tested incident response plan with clear escalation procedures, pre-drafted notification templates, and designated response team members can compress that timeline dramatically.
• Vet every vendor in your data supply chain. Trade show organizers typically use a constellation of technology vendors — registration providers, badge scanning companies, Wi-Fi analytics firms, mobile app developers. Each vendor that handles attendee data is a potential breach vector. Require SOC 2 reports or equivalent security documentation from every vendor, and include data security requirements in all contracts.
• Encrypt, segment, and minimize. Encrypt all personal data at rest and in transit. Segment databases so that a breach of one system does not expose the entire attendee population. And most importantly, stop collecting data you do not need. The smallest possible data footprint is the strongest possible security posture.

The Cost of Getting This Wrong

Conduent is now facing at least ten federal class action lawsuits, ongoing investigations by multiple state attorneys general, and the kind of reputational damage that takes years to repair. The company's stock has reflected the crisis. Its government clients are reviewing their contracts.

A trade show organizer that suffered a breach of comparable severity — exposing the personal and financial data of tens of thousands of exhibitors and attendees — would face a similar cascade of consequences, with the added dimension of lost trust in an industry built entirely on the willingness of companies to gather in one place and share information. If attendees and exhibitors do not trust that their data is safe, they will stop coming. No amount of marketing can recover from that.

The Conduent breach is not someone else's problem. It is a 25-million-person demonstration of what happens when data security is treated as a cost center rather than a core business function. For the trade show industry, which has built its entire modern infrastructure on digital data collection, the lesson could not be more direct: protect the data, or the data will destroy you.