In today's digital age, data breaches have become all too common and leave unsuspecting consumers vulnerable to a host of identity theft issues. From AT&T to National Public Data, no industry seems to be safe from determined hackers. Last year alone, 17 billion records were exposed in reported data breaches, according to Flashpoint.com, a Washington, DC based cybersecurity risk management firm.
If you've been notified by your credit card company, a retailer you visit often or another trusted source that your sensitive information has been compromised, you'll need to act fast. Taking action within the first 48 hours is the difference between stopping identity thieves dead in their tracks or having them wreak havoc on your financial life for months to come, suggests Carrie Kerskie, president of Kerskie Group LLC, a Naples, Fla.-based company that helps identity fraud victims recover.
We've combed through our archive of tried-and-true advice, spoken with industry experts, and reviewed the Federal Trade Commission's consumer tips to find out what steps you should take immediately after discovering you're a data breach victim. Here's where to start.
Discovering that your sensitive personal information has been compromised can be scary. Even still, that's not an excuse to let panic stop you from taking the appropriate measures before it's too late. First, you'll want to find out what information was compromised, says Andrew Schrage, co-owner of the personal finance blog MoneyCrashers.com. This step is vital, because depending on the type of information that was exposed you may need to address it more urgently.
For example, in 2024 the UnitedHealth Group cyberattack at its Change Healthcare unit data breach included Social Security numbers, credit card data, bank account numbers, medical record numbers, providers, diagnoses, medicines, test results and more. An identity thief using your Social Security number to open new lines of credit can be detrimental to your credit history for months afterwards. In this scenario, you would want to immediately notify the major credit bureaus, your credit card provider, and your bank. But a data breach that exposes only phone numbers and e-mail addresses isn't nearly as severe and wouldn't warrant an immediate response.
If you are unsure about the appropriate course of action, go to the Federal Trade Commission's (FTC) IdentityTheft.gov/databreach website for recommendations on how to proceed based on the type of personal information that was exposed in any particular breach.
Armed with your sensitive personal information, it may not take skilled hackers long to figure out the password to your e-mail or bank account — especially if it's something as simple as your birthday or pet's name. That's why you should change the passwords to all of your pertinent accounts as soon as possible.
To avoid having to remember a long list of online passwords, use a password manager. We often recommend LastPass, which uses a browser extension to store multiple account passwords and encrypts that information. To help make it easier, you'll only need to remember the LastPass password rather than a long list of passwords. The service includes a multifactor authentication login process. This means in addition to inputting your "master" password, you'll have to input a special code sent to a secondary device (such as a text message to your smartphone) before the login process is complete.
LastPass offers several different plan types including a free version. Their premium plans, which range in price from $3 to $7 per month, are available for personal or business use and include encrypted file storage.
To help prevent further fraudulent activity, be sure to sign up for transaction alerts for your bank and credit card accounts. In doing so, you'll be notified by e-mail or text message whenever there's a new charge to your account.
Be sure to set up the notifications for the lowest transaction amount possible. That's because crooks will test accounts with small charges first before making larger ones. If you start to see charges you don't recognize, contact your bank or card issuer immediately.
For an added layer of protection, consider placing a fraud alert on your credit reports. (You can request a fraud alert if you've been a victim of a data breach or if your wallet, Social Security card or other form of personal identification has been lost or stolen, according to the FTC.) A fraud alert requires a business or financial institution to verify your identity first before issuing a new line of credit. It's free and remains active for one year. If necessary, you can even renew it.
- How to do it: Contact one of the major credit bureaus and request a fraud alert on your credit report. Each credit bureau is required to notify the other bureaus about the alert. Make sure your most recent contact information is on file.
If you want to lock down your credit even more, put a freeze on your credit (also referred to as a security freeze). With a freeze, potential new creditors aren't even able to access your credit history to determine if you're eligible for a loan or new credit card. When the time comes to lift the freeze — say, you're looking to purchase a home or buy a car — you can do so temporarily and reinstate the freeze later.
A credit freeze is free. To get started, you'll need to contact all three major credit bureaus (Equifax, Experian and TransUnion). The quickest way to do this is over the phone or online. You'll want to have your Social Security number, birth date and home address handy, because you'll be asked to supply this information to help verify your identity.
Managing a security freeze is simple, and in most cases you can do it on your own, Griffon Force's Kerskie notes. On Equifax.com, for example, you can log into your account to set up a freeze, lift it temporarily or cancel it.
Chances are, you'll be on high alert in the weeks and months after your sensitive personal information has been compromised in a data breach. This is the time to be extremely vigilant and keep a close eye on your credit report. Doing this will help you flag any suspicious activity as soon as it happens.
There are several sites and online services where you can get a free copy of your credit report on a weekly, monthly or annual basis:
AnnualCreditReport.com: This is the only place where you can request a complete report from all three major credit bureaus annually. The report will be dense with text, and the level of detail can be overwhelming.
CreditKarma.com: Register to get weekly, comprehensive updates on your Equifax and TransUnion credit reports. The site also provides financial calculators and other resources to help you better understand your credit history.
Experian: You'll have to register and create an account on their website to receive a free updated Experian credit report every 30 days. You can also get notification alerts to help identify potentially fraudulent activity.
Also, don't underestimate the importance of carefully examining your banking and credit card statements, advises Kimberly Palmer, a personal finance expert for NerdWallet.com. "Sometimes the first sign of identity theft is an erroneous charge on a monthly statement," she says.
E-mail addresses and phone numbers are often included in data breaches. For example, contact information for 3 billion people was exposed in the National Public Data data breach this year. Armed with this information, crooks can target unsuspecting victims with e-mails, text messages or phone calls aimed at tricking them into divulging more personal information — or even collecting money. In many cases, they'll pose as official representatives of a financial institution or a federal government agency. They may try to pressure you on the spot into making a payment for an overdue bill or threaten legal action.
It's important to remember that a federal government agency, such as the IRS, won't ever call you and request payment of any sort over the phone. The IRS always sends notification via snail mail if there's a legitimate situation that needs to be addressed.
With potential e-mail scams, don't click on any links or open attachments that look suspicious. Doing so could infect your computer or smartphone with malware, allowing scammers to gain access to your device without your knowledge.
Lastly, never authenticate yourself over the phone when contacted by someone you aren't sure is who they say they are. If you're doubtful, look up the phone number for the institution this person is claiming to represent, and call it to see if it actually contacted you.
