The City of San José disclosed a data security incident involving a lost USB drive containing sensitive employee information. The device, which may have included names and Social Security numbers of current and former employees, was reported missing in January 2026.
City of San José’s Data Breach Investigation
The City of San José recently notified affected individuals about a data security incident involving the loss of a USB or thumb drive containing sensitive information. According to the official notice, on January 12, 2026, the City learned that a workforce member had lost the device on January 9, 2026. The USB drive reportedly contained information related to current and former City employees.
Upon discovering the loss, the City of San José immediately launched an internal investigation and notified law enforcement authorities. While officials have stated that there is currently no evidence that the information stored on the USB drive was accessed, viewed, or misused, the exposure of unencrypted portable media devices remains a significant cybersecurity concern.
Lost or stolen devices are a common cause of data breaches, particularly when they contain sensitive personally identifiable information (PII) such as Social Security numbers. Even without confirmed misuse, the risk of identity theft and fraud remains, as unauthorized individuals could potentially access the data if proper safeguards were not in place.
The City stated that the files on the USB drive may have contained names and Social Security numbers belonging to current and former employees. This type of information is especially valuable to cybercriminals because it can be used to open fraudulent accounts, file false tax returns, or commit other forms of identity theft.
As part of its response, the City is offering impacted individuals a complimentary one-year membership to Epiq Privacy Solutions ID. Credit monitoring services can help individuals detect suspicious activity on their credit reports, though they do not prevent identity theft from occurring in the first place.
Additionally, the City has indicated that it is reviewing its data storage and transfer policies to help prevent similar incidents in the future. Strengthening internal protocols for handling sensitive information is a critical step in reducing the risk of repeat breaches.
Government entities, like private corporations, have a responsibility to safeguard the personal data they collect and maintain. When lapses occur—whether due to lost devices, insufficient safeguards, or human error—affected individuals may face long-term consequences. Identity theft can result in financial losses, damaged credit, and years of administrative challenges.
At Class Action U, we believe individuals deserve transparency and accountability when their sensitive information is placed at risk. Data breach victims should not feel powerless. Understanding what happened and exploring your legal options is an important first step toward protecting your rights.
When Did This Breach Occur?
The USB drive was reportedly lost on January 9, 2026.
The City of San José learned of the incident on January 12, 2026, at which point it initiated an investigation and notified law enforcement.
What Information Was Breached?
According to the City’s notice, the following information may have been contained on the lost USB drive:
-
Name
-
Social Security number
Even in cases where misuse has not been confirmed, exposure of Social Security numbers can significantly increase the risk of identity theft and financial fraud.
What You Can Do
If you received a notice from the City of San José regarding this incident, it’s important to take proactive steps to protect yourself:
-
Carefully review your bank and financial account statements for unauthorized transactions.
-
Monitor your credit reports for unfamiliar accounts or inquiries.
-
Take advantage of the complimentary one-year membership to Epiq Privacy Solutions ID being offered.
-
Consider placing a fraud alert or credit freeze with the major credit bureaus.
-
Report suspicious activity immediately to your financial institution.
Identity theft can occur months or even years after a data breach. Remaining vigilant is key. You should also consider learning about your legal options. Many people do not realize that they may be eligible to join a class action lawsuit following a data breach.
When organizations fail to properly safeguard sensitive data, affected individuals may have the right to seek compensation for the risks and harms they face. You do not have to navigate this process alone.
File a Data Breach Lawsuit Against City of San José
If you received a data breach notification from the City of San José, you may be eligible to pursue compensation through a class action lawsuit. Government entities and employers have a duty to implement reasonable security measures to protect personal information.
Even if no fraud has occurred yet, the exposure of your Social Security number can place you at long-term risk. Courts have increasingly recognized that the threat of identity theft, time spent monitoring accounts, and costs associated with credit protection can constitute real harm.
Class action lawsuits allow individuals to band together to hold organizations accountable when data protection failures occur. By joining with others who were similarly impacted, you may be able to seek financial recovery and push for stronger data security practices.
Contact us at Class Action U, where we’ll connect you with a lawyer skilled in class action lawsuits. If you’ve been contacted about this breach, received notice, or discovered you were impacted, form to sign fill out our quick, easy, and secureup. There is no cost to reach out to our legal partner and no obligation after speaking with someone from our team
