So you’re caught in a data breach. Now what?
Reacting to a data breach can feel like you’re shuffling deck chairs on the Titanic or slamming the barn door after the horses have bolted. But there are some concrete steps you can take to minimize the harm from breaches and make yourself safer in case it happens again.
Last week, we found out when a hacker started selling a massive database of LinkedIn customer information that a 2012 data breach affected 167 million accounts, 161 million more accounts than originally reported. Other major breaches include those of Target in 2013, JPMorgan Chase in 2014, and the U.S. government’s Office of Personnel Management in 2015.
Many of the steps you can take after learning that your data has been involved in a breach might feel ineffective, says Paul Stephens of the Privacy Rights Clearinghouse, a consumer advocacy organization. But consumers are not as powerless as they might feel, he adds.
“Consumers need to get in the mind-set that you assume that you’ve been breached and [are] proactive to begin with,” he says. “If you go with that premise, then I think a lot of the breach fatigue will be eliminated.”
Think of having your personal information stolen in a data breach like getting sick. You don’t (or at least shouldn’t) just roll over and moan until it goes away: To prevent it from getting worse as your body recovers, you take some medication or homeopathic remedies. If you find that your data is part of a breach, you can do certain things to recover faster and make it harder for hackers to harm you after future breaches.
Data breaches, also known as security breaches, take on various forms. Someone could have stolen your credit card information from a point-of-sale terminal through a scheme known as skimming. Someone could have stolen information about you from a computer, phone, or hard drive. Or, more commonly, someone could have hacked into a massive customer database containing information about you.
Responding to data breaches is complicated, in no small part because of the patchwork of state and federal laws governing how companies that have been breached are required to notify you. In the United States, 47 states require varying degrees of notification. You may not immediately or even directly learn that your data has been involved in a breach. You might receive a notification via email or a physical letter, or read or listen to a news report about it.
“Often, consumers aren’t given accurate information by the entity that was breached,” Stephens says. “Checking your credit report is not going to do a thing, if the only thing that was in the breach was your credit card number.”
Taking the correct action for the kind of breach you’re involved in, and making sure that your accounts are as secure as possible before another breach occurs, can go a long way. Here are five things to do, if you hear that your information has been involved in a data breach.
Determine whether it’s legit
Make sure that the breach actually happened, and that you’re not falling prey to a phishing attack or other scam to get you to hand over your vital data. Contact the organization, which can include looking for a message about the breach on its website, looking up its phone number (not the one in the email sent to you) and calling it directly, or keeping an eye out for media reports of the breach.
Do not respond to the email, call the phone number included in the email, or click any links in the email, as the email could be an attempt to steal your personal information known as phishing. If you’re concerned about the veracity of the breach notification, we’ve compiled some tips to avoid phishing scams and phone call scams.
Figure out what was stolen
The actions you take depend on the information stolen. Was it a credit or debit card number? A username or password? Or was it something more closely related to your identity, such as your date of birth, Social Security number, driver’s license number, or passport number? Your next actions depend on what’s been pilfered.
Update your authentication method
Don’t let accounts with potentially compromised passwords linger. Compromised accounts can lead to more fraudulent activity in your name, and they can be used to send even more phishing spam. Wherever possible, choose new passwords at least 16 characters in length that include uppercase and lowercase letters, as well as numbers, symbols, and spaces. Do not reuse passwords.
Also wherever possible, take advantage of two-factor authentication, which provides an extra layer of security to your accounts. So even if someone steals your password, he or she can’t access your account. Here’s our regularly updated guide to two-factor authentication.
And when answering identity verification questions such as, “What is your mother’s maiden name?” or “What was your first car?” you should lie. Make the lie easy for you to remember and hard for others to guess—the answer to the question about your mother’s maiden name could be something like, “Donald Trump is scary.”
Replace your card(s), and monitor your credit
If the breach involves your bank or credit card information, contact the financial institution immediately. It will guide you through fraud protection, a process that most likely will place a hold on your account until it can issue you a new card or account number.
Ask the institution to watch for fraudulent activity on your account, and ask a major credit-reporting agency (Equifax, Experian, or Trans Union) to monitor your account for fraud. If you’ve been offered free credit monitoring as part of a breach notification, take advantage of it.
Contact the government
If the stolen data includes government-issued identification, such as your Social Security number, or identity numbers that can’t be changed, such as your birth date, get in touch with the authorities. The U.S. government has a site dedicated to helping people who need to change their government-issued identification numbers at IdentityTheft.gov.
There are pre-emptive steps you can take too. For example, the IRS offers residents of some states a unique identification number to cut down on tax return fraud.
Register for future breach notification
Security expert Troy Hunt runs a free subscription site called Have I Been Pwned, which will notify you by email if your information has been stolen as part of a data breach.
If your email has been part of a breach, and you’re using the same password as before the breach, it’s likely been compromised and you need to change it immediately.
Although it can be easy to slip into “breach fatigue,” it’s not enough for consumers to presume they’ve been breached. “Why wait for the breach to happen?” asks Stephens, who encourages consumers to take action “before it occurs.”