How to Deal With a Data Breach of Your Personal Info
It seems like there's a new data breach announced every couple of weeks... but the truth is even scarier.
According to the Identity Theft Resource Center, over the past decade there have been over 5,500 data breaches. That's 550 data breaches a year... or more than 1 a day!
And the ITRC only tracks breaches that include your name and some type of personal information, so that figure doesn't include password-related breaches. In 2015, one group of Russian hackers stole 1.2 billion passwords!
Chances are, your information has been compromised at some point.
Depending on the information stolen and state laws, the company may or may not have to inform you of the breach. Some companies may offer free credit monitoring and fraud resolution services for a period of time after the breach.
But none of this is guaranteed. If you do business with a company that's been breached, whether you get an apology letter or not, you should take immediate steps to ensure your personal information can't be used to commit fraud.
Find Out What Was Compromised
Your response to a data breach will vary depending on the information that was compromised.
If someone stole a bunch of usernames without any other data, you probably don't have much to worry about. On the other hand, if they pulled usernames and passwords, you need to get to work. Or if they gained access to your credit card information, it's time to call your bank!
Let's look at some of the most common types of data breaches, and the steps you should take if you've been affected by them.
These are the easiest type of breaches to deal with, because if you know exactly what information an identity thief has you can easily make it useless to them.
If you know, or even suspect, that your login credentials were compromised, take these steps:
- Change your password for the compromised site. If they allow you to change your username, do that too! Many sites simply use your email address as your username, so you may not be able to change it.
- If you use that same password, or a similar one, for any other site, change that too. Even if the username isn't the same, most of us use fairly standard usernames, so chances are an identity thief can figure it out if they try.
- Change your bank account passwords. Even if they are nothing like the password that was compromised, change them too. You should be changing your critical passwords every few months anyway, so this is a good time to do it. This includes online banking sites, credit card sites, your retirement site, and anywhere else you store financial or private information.
- Change your security questions, too. There's no point changing your passwords just to have an identity thief answer your security questions and change it back.
If your credit or debit card numbers were compromised, don't wait for an unknown charge to appear on your bank statement.
Call your bank immediately, cancel that card, and request a new one. In some cases, they may charge you a small fee for this, because no credit card fraud has occurred. Try to argue it, but if they refuse, just pay the fee. It's better than having to call back after someone has used your stolen information.
If your bank account numbers were compromised (for instance, if you use e-checking or online payments with the breached organization), ask the bank to close your checking account and open a new one. You'll probably get more push-back for this, because it's more work than just changing credit cards. Don't take no for an answer!
Personal information, particularly things like your Social Security number, are a goldmine for data thieves.
Your SSN can be used to steal your identity in order to open new lines of credit, create fake citizenship papers, file a fake tax return, illegally rent an apartment, get medical treatment... you name it; with the right information, it can be done. And unlike passwords or banking numbers, you can't change your personal information. From here on out, you'll need to actively monitor your identity.
If the breached company is offering identity theft protection or credit monitoring, sign up for it. Chances are, it's garbage. But unless you already have identity protection in place, it's better than nothing.
If you've been on the fence about getting identity protection, now's a good time to do it. It can be costly, but it saves you from having to keep such a close eye on everything yourself. There's no need to spring for the priciest plan; the basic offering is usually all you really need. Just make sure it offers a credit-related alert system, a guarantee, and remediation services.
Whether you have protection or not, you should also place fraud alerts on your credit file. That way, if someone tries to use your information to open a new credit card or take out a loan, the lender will see the alert and contact you to verify your identity. If you're not the one applying, you can tell them to stop the transaction. The best part about fraud alerts is they're free. The worst part is that they expire every 90 days, so you have to keep setting them.
Don't Know What was Compromised?
If you're unsure what information was compromise, don't worry. There are still reasonable steps you can take right away.
Start by changing the passwords for your most important online accounts. Once that's taken care of, visit a credit bureau's website and set your fraud alerts. You may not need to do either of these things, but they're both free and they're good protection even if your information hasn't been compromised.
You can't stop breaches from happening, and no matter how hard you try to keep your personal information private, you're going to have to give it to some people. (Remember that IRS breach?) The best thing you can do is stay one step ahead of the criminals and be prepared for the day your information does get breached. And if it's happened already, stay prepared for when it happens again.