What Is a Data Breach? (And How To Protect Your Data)

Was Your Sensitive Information Leaked in a Data Breach?  

When hackers leaked sensitive data of over three billion Yahoo users in late 2013, no one predicted that this would be the start of something much worse [*]. But nearly a decade later in 2022, there were 1,862 publicly reported data breaches — the highest number ever for a single year [*].

Social media sites, hotel chains, large corporations, hospitals, school districts, and even government agencies have all been hit by massive data breaches in recent years. According to cybersecurity experts [*]:

It’s almost guaranteed that your sensitive information — including your Social Security number (SSN) — has been leaked at least once in a data breach.

With data leaks happening almost daily, many people are left asking: “What is a data breach? And what should I do if my information is leaked?”

In this guide, we’ll explain everything you need to know about data breaches — from what they are and how they happen, to how you can tell if your data has been leaked and (if it has been) what to do to contain the damage.

{{show-toc}}

What Is a Data Breach? What Are the Consequences?

A data breach is a security incident in which unauthorized parties access, steal, and spread sensitive, confidential, or protected information. For example, hackers could illegally access a small business’s customer database and leak any stored names, shipping addresses, and credit card numbers.

Any company, government agency, or app that stores your personal information is a target for data breaches. However, scammers typically target large organizations or those with sensitive data. 

Between 2020 and 2022, data breaches nearly doubled in the financial sector and tripled in the manufacturing industry [*]. But by far, the largest targets these days are healthcare companies — as personal health information is more valuable on the Dark Web than credit card numbers or SSNs [*].

But why do scammers and hackers target company data? Here are five reasons why cybercriminals want to steal data or compromise business networks: 

• Sell stolen customer data on the Dark Web. Hackers target organizations that have vast amounts of personally identifiable information (PII) about their customers — including names, dates of birth, addresses, emails, and SSNs. Scammers and identity thieves trade this sensitive data on the Dark Web for as little as $3 [*]. 
• Gain access to sensitive business files or systems. Cybercriminals steal trade secrets and financial information to gain a competitive advantage, manipulate markets, or sell valuable, confidential data to other criminals. 
• Blackmail companies into paying ransomware fees: Hackers use malicious software to encrypt your system and files, making them unusable until you pay a ransom. By some estimates, data breaches cost American companies an average of $9.44 million in lost earnings and associated costs [*].
• Expose sensitive information of customers or citizens: Doxxing — derived from “dropping docs” — is intentionally revealing private information online without the rightful owner’s consent. Bad actors breach companies and leak sensitive data to damage the reputations of people or companies.
• Target people with identity theft scams. Once they have valuable personal details in their hands, scammers can create synthetic identities or apply for credit cards and loans in someone else’s name. Criminals could rack up debts in your name for years before being caught.  

Unfortunately, even if you do everything right to maintain your personal digital security, you could still have your data leaked. For example, when hackers targeted T-Mobile in January 2023, they exposed the personal information of 37 million customers, including SSNs and driver’s licenses [*]. 

How Do Data Breaches Happen?

Many data breaches are intentional violations resulting from a cyberattack or hacking, while other security breaches are caused by human error (for example, if an employee accidentally emails confidential information to the wrong person).

Most malicious data breaches follow the same basic pattern. 

First, attackers identify a target that offers the potential to gain a significant financial, competitive, or political advantage. 

Next, the criminals research the target to find defensive vulnerabilities in its security posture, systems, or employees.

After researching, the hackers choose an attack method such as a social engineering scam or a credential-stuffing attack. 

Lastly, the criminals exfiltrate the data, which they can later sell or use. Some attackers may destroy the victim’s proprietary data or lock it up with ransomware. 

Here are 10 common attack methods that hackers employ in the biggest data breaches:

• Social engineering. Verizon reports that almost 82% of all data breaches involve the human element [*]. Fraudsters leverage fear, urgency, or psychological manipulation to trick people into disclosing information. For example, hackers can impersonate the company CEO in phishing emails to obtain login credentials for company accounts. 
• Network or password hacking. Hackers exploit weak passwords or intercept data on unsecured networks to gain unauthorized access to your data. 
• Malware and other cybercrimes. With spyware or trojans, hackers can take control of your devices to make fraudulent transactions or harvest valuable datasets. 
• Insider leaks. If they feel disrespected at work or under financial pressure, a disgruntled employee could turn on the company to steal and sell data to criminals or competitors. 
• Accidental vulnerabilities or disclosure. It's crucial to be careful with access permissions for cloud drives. A simple human error or oversight in the system configurations could open an entry point for a massive security breach. 
• Physical theft or loss. Company laptops and mobile devices offer easy inroads to valuable intellectual property. When someone stole a Health PEI employee’s laptop, the incident compromised the personal information of over 4,000 patients and 1,200 staff members [*]. 
• Shoulder surfing. Online banking or shopping in a cafe or airport is risky, as the stranger next to you could watch you type your login credentials or credit card numbers. 
• Wi-Fi hacking. Without a virtual private network (VPN) to encrypt your IP address, your data is at risk anytime you use an unsecured network. 
• Catfishing. Impersonators create false profiles on social media and dating sites to trick victims into sharing personal details and sending money. 
• Payment card skimmers and shimmers. Thieves attach small devices to payment card terminals, including ATMs and gas pumps, which can steal your card information. 

How To Tell If Your Data Has Been Leaked 

If you want to protect your identity and finances, knowing if your data is at risk is crucial. 

There are two ways to know if your data has been stolen:

1. If someone announces the data breach. Typically, after an incident, the news is made public by the impacted company, a third-party news site, or the attackers.
2. If you find your information on the Dark Web. You can use a Dark Web monitoring or scanning tool to check if your personal data is on hacker forums or illicit marketplaces online. 

Despite data protection laws requiring companies to disclose breaches, many affected organizations hide incidents to protect their public reputations. In late 2022, Twitter was accused of covering up a breach that impacted millions of user accounts [*].

For this reason, it's essential to consider additional methods of monitoring your data security. Aura’s Dark Web and data breach monitoring services help you stay informed about data breaches and take immediate action if your data is at risk.

Was Your Sensitive Information Leaked in a Data Breach? Do This!

1. Confirm what data was leaked
2. Change your passwords
3. Enable 2FA on all of your online accounts
4. Freeze or lock your credit file
5. Check your account statements and credit report
6. Update your operating system and install antivirus software
7. File a report with the FTC
8. Contact impacted companies and government agencies
9. Be on the lookout for phishing attacks
10. Set up a spam and scam call blocker on your phone
11. Remove your data from data broker services
12. Consider signing up for identity theft protection

If you found out that your passwords or phone number were leaked in a recent data breach, there’s a good chance that most of your sensitive personal information has been compromised.  

Here is a 12-step response plan to protect your identity: 

1. Confirm what data was leaked

The potential consequences of a data breach will depend on what information was stolen. Before you jump to the worst conclusions, it’s important to confirm the details of the breach. 

Here’s what to do: 

• Look for an official data breach announcement. Confirm the details via an official announcement from the company or a trusted news source. Most breach announcements include what information was stolen, whether the files were encrypted, and how the company is responding to the incident. 
• Check Aura’s free Dark Web scanner or HaveIBeenPwned. These tools show you which data breaches compromised your information and how extensively your data has been leaked. 
• Avoid clicking on links in data breach notification emails. Hackers often send phishing emails in the wake of a breach, aiming to trick anxious customers of the company into falling for further scams. 

2. Change your passwords

Stolen or weak passwords were factors in 81% of data breaches in 2022 [*]. After a breach puts your passwords at risk, immediate action is vital to keep your accounts and personal data safe.

Here’s what to do: 

• Change compromised passwords immediately. Hackers can take over accounts, make fraudulent purchases, and steal valuable data. If an account is at risk, change its password the moment you find out. 
• Use a unique passphrase for each account. Many cybersecurity experts suggest using a passphrase containing letters, numbers, and characters rather than a random string of characters — for example, “L0rD0fTh3R1nG$.” 
• Use a secure password manager. Aura’s password manager encrypts all of your password data and enables one-tap updates to safeguard vulnerable accounts. It can also warn if your passwords were leaked in a data breach or need to be changed.

💡 Related: Are Your Passwords Compromised? How To Find Out →

3. Enable 2FA on all of your online accounts

Two-factor authentication (2FA) adds a second layer of authentication whenever you sign in to an account — for example, a code sent to your email or an authenticator app on your phone. Cybersecurity experts believe 2FA or multi-factor authentication (MFA) can prevent up to 90% of cyber-attacks [*]. 

Here’s what to do: 

• Turn on 2FA for all supported online accounts. Setting up multi-factor authentication for valuable portals like your email, banking, tax, and medical accounts is especially important. 
• Use an authenticator app on smartphones. These apps generate new 2FA codes every 30 seconds, making it almost impossible for hackers to steal them (unless they have access to the linked Android device or iPhone).
• Opt for secure methods over SMS. Criminals use SIM swap scams to exploit text-based 2FA. It’s safer to use biometric authentication or a hardware security key.

4. Freeze or lock your credit file

If your sensitive information was leaked in a data breach, scammers may try to use it to open new accounts or take out loans in your name. A credit freeze or lock prevents anyone from accessing your credit file. 

To freeze your credit, you’ll need to contact each of the three major credit reporting bureaus individually (Experian, Equifax, and TransUnion). Each of the credit reporting agencies will verify your identity and then provide you with a unique PIN to freeze and then “thaw” your account whenever you need to apply for new credit. 

Here’s how to contact the credit bureaus to freeze your credit files:

5. Check your account statements and credit report

A proactive attitude to monitoring your financial life can save you time, money, and frustration. By monitoring your accounts regularly, you can spot early warning signs of fraud and react quickly in order to limit the damage.

Here’s what to do: 

• Review your bank and credit card statements every month. Look for any suspicious or unauthorized activity, such as questionable transactions or new direct debits that you didn’t set up. 
• Check your credit report every quarter. You can order a free credit report from each of the three bureaus at AnnualCreditReport.com. Examine the reports for unfamiliar new accounts, loan applications, and hard inquiries. 
• Report issues to the banks or bureaus. After gathering your evidence and notes, contact the relevant agency or financial institution to report suspected fraud. 

💡 Related: How Long Does It take To Repair Your Credit? →

6. Update your operating system and install antivirus software

Hackers use malicious programs to infiltrate your devices and hard drives — scanning for private information to steal. Many of these viruses rely on vulnerabilities and bugs in outdated software, apps, and operating systems. 

Here’s what to do: 

• Install reliable antivirus software. Aura’s award-winning digital security solution includes antivirus software for your PC, Mac, and Android devices.
• Always scan external drives. Check unfamiliar USBs and portable hard drives for viruses before you open any files. 
• Update your operating system to the most recent version. Ensure that you keep all software up to date with the latest security patches — and always download directly from the software provider’s official website.

7. File a report with the FTC

If anyone uses your leaked information, an official identity theft report from the Federal Trade Commission (FTC) can help you dispute charges and prove your innocence. 

You can file a report at IdentityTheft.gov. During this process, you’ll need to provide personal information and details about the fraud. 

💡 Related: How (and When) To File a Police Report for Identity Theft →

8. Contact impacted companies and government agencies

It’s often up to you to shut down any situation in which your leaked personal information was used. For example, scammers may have used your data to open new accounts, sign up for services, take out loans, or request benefits. 

Here’s what to do: 

• Speak with the fraud department at any impacted company. Explain that you are the victim of identity theft, and request that they reverse any fraudulent charges. The company may request your FTC report as proof of the crime. 
• Take additional steps after a healthcare data breach. The Health Insurance Portability and Accountability Act of 1996 (HIPAA) is a federal law to protect sensitive patient health information. After a breach, you can request your most recent medical records and health insurance benefit statements so that you can then review the documents for any unfamiliar activity.
• Watch out for impersonation scams after a government breach. After breaches of military, federal, or state agencies, the impacted organization will make contact. But fraudsters try to con people with scam emails and texts, so you must be cautious about any communications. 

9. Be on the lookout for phishing attacks

Cybercriminals target data breach victims by sending phishing emails or spam messages. Remain vigilant after a breach in case you’re exposed to further types of fraud. 

Here’s how to avoid a phishing scam:

• Verify the sender's identity before opening any emails or messages. Many scammers spoof the email sender's name with a slightly different spelling or domain. 
• Don’t click on any links or attachments. Almost all phishing scams include links in emails; using these links, fraudsters attempt to lure you to bogus websites or trick you into installing malware.
• Ignore urgent requests, and take time to think. Scammers create a sense of urgency by threatening or offering “limited time” deals. Stay calm, and remember that no genuine bank or reputable organization will use scare tactics to pressure you into making decisions.

💡 Learn More: How To Tell If An Email Is From a Scammer [With Examples] →

10. Set up a spam and scam call blocker on your phone

Americans were flooded with over 50 billion robocalls and spam calls in 2022 [*]. If your phone number was leaked in a data breach you could be at risk of spam and scam calls.  

You can reduce unwanted calls by signing up for your phone carrier’s call-filtering service. However, these services don’t stop all spam texts and calls. A better option is a third-party call-blocking app.

Here’s what to do: 

• Download and install a reputable spam and scam call-blocking app. The best services block unwanted calls, robocalls, and spoofed numbers. Some providers even have a feature that intentionally wastes the scammer's time with pre-recorded messages. 
• Beware of untrustworthy call-blocker apps. Unfortunately, not all app owners follow the General Data Protection Regulation (GDPR). If providers share user data, you could get more spam texts and calls.
• Report any scam calls. If you answer a call that you believe is from a fraudster, hang up immediately. You can contact the official organization (that the fraudster is pretending to represent) to report the incident and get guidance on the next steps.

11. Remove your data from data broker services

Data brokers collect and sell personal data to marketing agencies and other entities, which puts your identity and privacy at risk. After a data breach, there’s an increased chance that your personal information has been leaked and could be on data broker lists. 

Unfortunately, there are hundreds of data brokers in the United States, making it almost impossible to remove your data from all of them. 

Aura’s award-winning digital security solution includes automatic data broker opt-outs. Aura scans data broker databases for your personal information and then requests its removal on your behalf, so you don’t have to try and navigate this time-consuming process yourself.

⚡️ Remove your data from data broker lists — for free. Sign up for a free 14-day Aura trial and remove your personal information from data brokers.

12. Consider signing up for identity theft protection

Dedicated digital security services monitor your personal and financial information and provide rapid alerts about suspicious activity. For example, if a fraudster opens a new bank account in your name, you’ll get a notification and can react quickly to protect your credit score.  

Here’s how to find the right digital security provider:

• Research options. Read our post on the best identity theft protection companies.
• Look for a reliable provider that offers advanced features. At a minimum, you should get a service with credit monitoring, Dark Web monitoring, and fast alerts.
• Choose a company that provides fraud resolution support. Pick a service that helps you recover your identity and finances if you become a victim of identity theft.

💡 Related: 2023 Data Breach Protection Guide: Here's What To Do →

How To Protect Yourself and Prevent a Breach of Your Data

As data breaches continue to cause growing concern for individuals and businesses alike, taking precautions to keep your personal information private is vital. 

Here are a few effective ways to improve your cyber hygiene and prevent data breaches from leaking your personal data:

• Use strong, unique passwords for every account. Create hard-to-guess combinations of numbers, letters, and special characters — and avoid reusing the same password for multiple accounts.
• Use a password manager. These applications make it easier to create and store long, complex, unique passwords for every account.
• Use a virtual private network (VPN) to encrypt browsing data. A VPN hides your location, personal information, and internet activity from prying eyes. 
• Use email aliases, or give out fake information. Don’t use your primary email address when signing up for new services. 
• Remove as much personal information from the internet as possible. Trim down social media profiles, forum answers, and anything else that can provide scammers with personal details about your life. 

The unfortunate truth is that your personal information may already be on the Dark Web. 

The best way to protect yourself and your entire family after a data breach is by signing up for Aura.

Aura’s award-winning identity theft protection solution includes 24/7 Dark Web monitoring, SSN monitoring, and three-bureau credit monitoring with the industry's fastest, most reliable alerts. 

All Aura members have access to Safe Browsing tools, a VPN, and antivirus protection. If disaster strikes, you’re covered by a $1 million insurance policy, and can get help — as well as peace of mind — from Aura’s 24/7 team of U.S.-based White Glove Fraud Resolution Specialists. 

Stay safe from scammers and online threats. Try Aura free for 14 days.