How to Survive a Data Breach
Has an online company with which you have an account been hacked? Have you received an email informing you that your personal information has been lost in a data breach?
If so, you're not alone. In the past two years, LinkedIn, eHarmony, Adobe and, most recently, Target have suffered data breaches that together exposed more than 80 million accounts. Other companies will be sure to follow.
If you're among the millions of consumers who may have been exposed by a data breach, here's what to do.
— Pin down exactly what kind of information was lost in the data breach, and how it was protected.
Names and physical addresses are the least sensitive pieces of information; email addresses and account passwords are more sensitive; Social Security numbers and credit-card numbers are the most sensitive (and the most valuable to identity thieves).
The company suffering the breach may tell you that even though email passwords or credit-card numbers were lost, they were encrypted and hence safe.
Don't take that assurance at face value. Hackers and cybercriminals have a number of different ways to "crack" many forms of encryption. If your password was less than eight characters long or used words that can be found in the dictionary, it's as good as cracked.
— Change the password on your account with the affected company right away, if the company hasn't already done so for you. If you use the same password for accounts with other companies, change those as well.
While you're changing the password for other accounts, make up and use a new, strong password for each and every one. Don't reuse a password for another account. That way, you'll be limiting the damage next time there's a data breach, and you won't have to go through this process again.
— Contact your bank and your credit-card issuers, explain that your accounts are at risk of fraud and ask them to alert you immediately if they detect suspicious activity on your accounts.
Professional credit-card thieves will try to "bust out" stolen card numbers with many purchases in a matter of hours, often on weekends when banks are not fully staffed.
— Ask your country's major consumer credit-reporting bureaus to place a fraud alert on your name. This way, if anyone tries to steal your financial identity — for example, by trying to open a credit-card account in your name — you'll know.
Residents of the United States, Canada and Mexico should contact the credit bureaus Equifax and TransUnion; U.S. or Mexican residents should also contact Experian, which no longer operates in Canada.
British residents should contact Callcredit, Equifax or Experian; residents of Australia and New Zealand should contact Veda or Experian; residents of Ireland should contact the Irish Credit Bureau or Experian.
— Look into credit-protection services that will flag suspicious activity on your accounts. BillGuard, for example, will monitor up to three credit cards for free; more expensive "identity protection" services will monitor your accounts with the credit bureaus.
— Losing your personally identifiable information in a data breach doesn't guarantee you'll become a victim of identity theft. But if that does indeed happen, make sure to tell the credit-reporting bureaus right away.
If you detect credit- or debit-card fraud, contact the card issuer immediately. Doing so may limit your liability.
If you're a U.S. resident, you should also contact the Federal Trade Commission to create an identity-theft affidavit, and then file a report with your local police force. Doing both will greatly aid you in clearing your name (which, in the worst cases, can take years). Make sure you document each phone call made, and each email message and letter sent, during your efforts.