San Jose administrators have disclosed that private information for current and former city employees may have been compromised, following a data breach last month.
The incident occurred on Jan. 9 when a “workforce member” lost a USB drive that may have contained Social Security numbers, according to a letter city officials sent to people whose data may have been involved in the breach. San Jose officials have not said how many people were affected by the breach.
San José Spotlight spoke with three people who said they received the city’s letter in recent days, including a current employee and two former employees. One of the former employees said they last worked for the city in 2000. The individuals requested anonymity to protect their privacy.
The current employee said the revelation of the data breach is alarming, and raises questions about the city’s IT practices, including its handling of sensitive data.
“The city compromised my data without having safeguards in place,” the current employee told San José Spotlight. “It’s just adding more stress to already struggling city workers.”
City administrators became aware of the incident on Jan. 12, three days after it took place, and “immediately” responded by launching an investigation and informing law enforcement, according to the city’s letter.
“Although, to date, we have no evidence that any information was actually viewed, accessed, acquired, or has been misused, out of an abundance of caution, we informed current and former employees of the city of San Jose,” Carolina Camarena, a spokesperson for the City Manager’s Office, told San José Spotlight.
A spokesperson for the San Jose Police Department said it opened an investigation after being notified of the incident on Jan. 19, but did not provide further information.
City officials declined to provide additional information about the incident. They also did not respond to a question inquiring why it appears to have taken seven days for city administrators to inform SJPD of the breach.
Camarena said the city is reviewing its data storage and transfer policies to prevent similar incidents from happening again.
But Ahmed Banafa, a cybersecurity expert and professor of engineering at San Jose State University, said the decision to store such data on a USB drive does not appear to follow best practices for IT safety.
“Who is still using USB drives for sensitive information? That’s my first question,” Banafa told San José Spotlight. “This sensitive information should be kept in a database where limited people can access it. If it does need to be accessed, there should be a protocol in place where you have to get approval before you can download it.”
Banafa also questioned why it took the city nearly a month after learning of the breach to inform workers. Two letters sent to inform employees of the breach, reviewed by San José Spotlight, are dated Feb. 9.
“It’s not good for the capital of Silicon Valley,” Banafa said. “They have to take it seriously, and they have to have transparency about it.”
Banafa warned that if the USB drive falls into the wrong hands, bad actors could use the compromised data to carry out fraudulent financial transactions under the names of people involved in the breach.
San Jose officials said the city will help prevent such identity theft by providing those affected with access to a complimentary one-year credit monitoring service.
John Tucker, a senior representative with AFSCME Local 101, a union representing San Jose public employees, said he doubts the city’s offer will be enough to protect workers.
“Social Security numbers don’t expire,” he told San José Spotlight. “The risk doesn’t end in 12 months.”
Meanwhile, Tucker said this incident also raises questions about San Jose’s ability to manage its core IT responsibilities, even as city leaders, including Mayor Matt Mahan, push to expand the use of AI-powered technology throughout government operations.
“Before we layer on all these new technologies, we need to make sure that the basics are handled competently,” Tucker said. “They seem to be struggling with them.”
Contact Keith Menconi at [email protected] or @KeithMenconi on X.