What to Do After a Data Breach
Has a company with which you've done business been hacked? Have you received a notice informing you that your personal information, or your credit-card number, was stolen in a data breach?
Credit: ShutterstockIf so, you're definitely not alone. In the past few years, dozens of companies, including Target, Home Depot, Neiman Marcus, Michael's Stores, LinkedIn, Starwood Hotels and the giant health insurer Anthem have suffered data breaches that compromised tens of millions of accounts and payment-card numbers. In 2016, Yahoo disclosed two record data breaches in which 500 million and 3 billion accounts were compromised, respectively.
If you're among the millions of consumers whose sensitive information may have been exposed in a data breach, here's what to do to minimize your chances of becoming the victim of identity theft or credit-card fraud.
1. Determine what was stolen.
You'll need to pin down exactly what kind of information was lost in the data breach. Sensitive information falls into three general categories:
Least sensitive: Names and street addresses. Such information was pretty harmless when it was printed in the phone book. Today, a name typed into a search engine can yield data useful to online marketers and nosy neighbors, but probably not enough to cause serious trouble.
More sensitive: Email addresses, dates of birth and payment-card account numbers. (Payment cards include debit cards, credit cards and charge cards like an American Express card.)
A stolen email address may result in increased spam; a stolen credit card will often result in fraudulent charges, but the card holder is generally protected from liability (see below). A date of birth by itself is useless, but when combined with a name, it's more valuable than an address, because it never changes and is often used to verify identity.
Most sensitive: Social Security numbers or (in Canada) Social Insurance Numbers, online-account passwords, passport numbers, financial-account numbers and payment-card security codes (the three- or four-digit number printed on the front or back of payment cards).
An online-account password, combined with an email address, can be used to hijack online accounts. A card security code lets a thief use a stolen card number for online and telephone shopping. A bank account number lets snoops track your financial history and even move money into (but probably not out of) an account.
With your Social Security number and your name, almost anyone can pose as you.
The company that suffered the breach may tell you that even though email passwords or credit-card numbers were stolen, those items were encrypted and hence "safe." Don't take their word for it — hackers and cybercriminals can "crack" many forms of encryption. If your password was less than 10 characters long or used words that can be found in the dictionary, consider it stolen.
Possibly the worst piece of personal information to have stolen is your Social Security or Social Insurance number. With that and your name, almost anyone can pose as you. (A fake passport using your real name, place of birth and photo is almost as bad.) Unfortunately, it's very difficult to replace an old Social Security or Social Insurance number with a new one. For more on what to do, read our primer on what to do if your Social Security number is stolen.
2. Change all affected passwords.
If an online account has been compromised, change the password on that account right away. If you used the same password for any other accounts, change those as well, and make up a new, strong password for each and every account.
Don't reuse the password for a second account. That way, you'll be limiting the damage next time there's a data breach, and you won't have to go through this process again.
If the online company offers two-factor authentication to protect an account, use it. With two-factor authentication, a thief who attempts to log into an online account can't get in, even with the right password, unless he has a numeric code that the company texts to the legitimate user's cellphone.
If creating and remembering all those new passwords is difficult, use a password manager to handle it all for you. With a password manager, you'll need to remember only one password; the software will take care of the rest. The downside is that if the "master password" is compromised, all your accounts will be as well.
3. Contact relevant financial institutions.
If a payment-card number has been stolen, contact the bank or organization that issued the card — immediately. (Most credit cards have toll-free customer-service numbers printed on the back.) Make sure you speak to a live human representative. Explain that your account is at risk of fraud, and ask the card issuer to alert you if it detects suspicious activity on your account. The bank will almost certainly cancel the card and issue you a new one straight away.
If fraud does take place before the bank is notified, the rules differ between credit cards and debit cards.
Professional credit-card thieves often try to "bust out" stolen card numbers with many purchases in a matter of hours, often on weekends when banks are not fully staffed, before the banks can cut off the card. Nevertheless, in the United States, federal rules limit the customer's liability for fraud. If you alert the banks or card issuers before any fraudulent transactions take place, you're covered.
But if fraud does take place before the bank is notified, the rules differ between credit cards and debit cards. For credit cards, the customer can report a card stolen or lost at any time, yet will be on the hook for at most $50 of fraudulent charges. For fraudulent charges on a monthly billing statement, the customer has up to 60 days to dispute the charges, in writing.
Debit cards have much less protection if fraudulent charges are rung up before the bank is notified. To get the $50 limited liability, the customer has only two business days after learning of the fraud to tell the bank. After that, you may be liable for up to $500; if more than 60 days go by and you still haven't told the bank, you could be on the hook for the whole thing.
4. Contact the credit-reporting bureaus.
Contact the major consumer credit-reporting bureaus and ask each to place a fraud alert on your name. This way, if anyone tries to steal your financial identity — for example, by trying to open a credit-card account in your name — you'll know. (You'll also learn when anyone tries to look up your credit.)
In the U.S., fraud alerts, also known as credit alerts, are free and can be renewed every 90 days. Once an alert is requested, the customer will get a free credit report.
U.S. residents can either request a credit alert online or call the bureau directly: Equifax (1-888-766-0008), Experian (1-888-397-3742), Innovis (1-800-540-2505) and TransUnion (1-800-680-7289). Each bureau is required to contact the other three if an individual requests a fraud alert, and consumers need not provide any reason.
A credit freeze won't allow anyone to run a credit report on you, or open an account in your name, without your explicit authorization.
Canadian regulations vary by province, and are somewhat less convenient for consumers. TransUnion (1-800-663-9980) charges $5 for each credit-alert request; its Potential Fraud Alert form can be found online, but the form must be filled out and mailed by hand. However, Equifax (1-800-465-7166, press option 3 for Fraud) lets you request a credit alert over the phone and doesn't charge for it.
But for either credit-reporting bureau, Canadian residents must file and cite a police report stating the reason for the fraud-alert request. (Experian no longer provides consumer credit services in Canada.)
U.S. residents (but not residents of Canada) can take the more drastic step of requesting a credit freeze, also known as a security freeze. Consumers may call each of the U.S. telephone numbers above, or request a freeze online with Equifax, Experian, Innovis or TransUnion.
Unlike credit alerts, credit-freeze fees and regulations vary by state, and some states make them free to persons who have filed police reports of identity theft. Fees generally range from $5 to $15 — here's a list of credit-freeze fees by state.
A credit freeze won't allow anyone with whom you don't already do business to run a credit report on you, or open an account in your name, without your explicit authorization, so it's pretty solid protection. But it may cause unforeseen complications when you apply for new credit cards or a mortgage, or even switch cellular carriers or cable-TV companies. Each agency will give you a PIN with which you can temporarily unlock your file in such instances.
5. Sign up for a credit- or identity-monitoring service.
Many services, both free and paid, will help monitor your financial accounts and sensitive personal information. BillGuard, for example, is a free online and mobile service that will keep track of charges on an unlimited number of payment cards. It recently added an identity-protection service, but you'll have to pay for that. (BillGuard says it doesn't mine user data, and says it makes money by licensing its software to banks and certifying trustworthy merchants.)
For fees that vary between $15 and $30 per month, full-fledged identity-protection services will monitor your accounts with the credit bureaus, and often watch for identity theft and stolen credit cards as well. Our top choice in this category is LifeLock Ultimate.
Many large companies that suffer data breaches provide affected customers with one or two years of free identity protection. You should take advantage of the offer, but read the fine print for what kind of protection you'll get. A service that doesn't monitor financial accounts won't be of much help if your credit-card number, but not your personal information, was stolen.
If your identity does get stolen
All of the above steps are meant to make sure your identity doesn't get stolen. (We go into what to do about credit-card fraud above.)
If identity fraud does occur — if someone else indeed pretends to be you for any purpose — you'll need to file a report with your local police precinct as soon as possible. That may seem useless, but it's extremely important, as it will establish a legal basis with which you can dispute any future fraud.
Next, you'll need to file a formal report of identity theft with the federal government. In the U.S., do so online with the Federal Trade Commission; in Canada, call 1-888-495-8501 or go to the website of the Canadian Anti-Fraud Centre. Like the police report, the government report will be essential in disputing and resolving future fraud.
If you're a U.S. resident, you may also want to institute a credit freeze with the credit bureaus, as described above. You know the fraud is happening and need to stop it — the inconveniences resulting from a credit freeze may be worth the peace of mind.
In the worst cases, clearing your name can take years. Make sure you document each phone call made, and each email message and letter sent, during your efforts. For more on the subject, read our primer on what to do if you're the victim of identity theft.
- 10 Worst Data Breaches of All Time
- Synthetic Identity Theft: How Crooks Create a New You
- 7 Easy Ways to Get Your Identity Stolen
Paul Wagenseil is a senior editor at Tom's Guide focused on security and gaming. Follow him at @snd_wagenseil.