SAFE Credit Union is staring down a fresh legal headache, with a new class-action lawsuit landing after the credit union disclosed a December data breach to state regulators in January. The complaint, filed by a Chicago-based attorney, aims to represent members whose personal information may have been exposed, adding more turbulence to what has already been a tense stretch for the Folsom institution.
What the lawsuit alleges
According to the Sacramento Business Journal, the class-action complaint filed this week accuses SAFE of failing to adequately protect member data tied to the December incident. The suit is seeking damages and injunctive relief on behalf of a proposed class of affected members, setting up a potentially costly legal fight over the credit union’s security practices.
Breach timeline and state notice
The California Attorney General’s data-breach portal shows that SAFE reported a security incident dated Dec. 12, 2025, and that the related notice was posted on Jan. 13, 2026, according to the California Attorney General. The online filing includes a sample letter that SAFE said it sent to members, outlining the breach and providing required disclosures.
What data may have been exposed
Security outlet UpGuard reported that SAFE publicly acknowledged the incident on Jan. 13, and that early summaries indicate personal identifiers such as names, Social Security numbers and account information may have been exposed, although investigators have not publicly identified who was behind the breach, per UpGuard. The total number of potentially affected members and the full scope of the incident have not yet been disclosed.
A pattern of ATM incidents in 2025
The data breach is not the only security issue SAFE has had to navigate. In 2025, skimming devices were discovered on some of the credit union’s ATMs, and plaintiff-side attorneys began probing possible member harm, according to a law-firm advisory circulated earlier this year. Those ATM incidents triggered member alerts and card-replacement efforts, according to firms that have been tracking the situation.
Legal implications
Under California’s breach-reporting rules, companies must notify both affected individuals and the Attorney General when certain categories of personal information are reasonably believed to have been accessed, which is why the SAFE incident appears on the state’s breach portal. If the class action succeeds, the plaintiffs could pursue restitution, repayment of credit-monitoring costs and other damages based on claims that the credit union did not provide adequate protection for member data.
What members should do
Security experts and state guidance urge potentially affected members to keep a close eye on their accounts, review statements for anything unusual, and consider placing fraud alerts or credit freezes with credit bureaus, per guidance cited by security reporting. Members who spot suspicious transactions are advised to contact their financial institution right away and treat any unexpected calls or emails requesting personal details with extra skepticism.
What to watch next
The lawsuit is in its early stages, which means new court filings and a formal response from SAFE are expected in the coming weeks. The Sacramento Business Journal reported the filing on Jan. 27, 2026. Observers will be watching for the initial court documents and any official statement from SAFE as the case begins to move through the legal system.
