Here’s What To Do After a Data Breach
When you saw the email, you froze. Another data breach leaked sensitive information for millions of people. Except, this time you’re one of them.
By now, we’re all familiar with how easily hackers can steal data from even the most trusted companies. Billions of account details have been leaked from Facebook, T-Mobile, Equifax, LinkedIn, and more.
And the numbers show no signs of slowing down. Research shows that data breaches increased 68% from 2020 to 2021 [*].
But here’s the scary part. Your personal information could be compromised, even if you haven’t been affected by one of the hundreds of highly publicized data breaches.
With so much leaked data available to hackers, it might seem impossible to prevent identity theft. But it’s not a lost cause.
Here’s what to do as soon as you find out you’ve been the victim of a data breach.
Follow These 8 Steps After a Data Breach
- Confirm the breach has happened (but be cautious of emails)
- Find out what sensitive data was stolen and is available to hackers
- Secure your log-ins, passwords, and PINS, and add 2FA/MFA
- Set up a fraud alert or credit freeze
- Take special steps for healthcare, government, and financial breaches
- Carefully consider the free support offered by breached companies
- Monitor other accounts and your credit file for suspicious activity
- Sign Up for an identity theft monitoring service
1. Confirm the breach happened (but be cautious of emails)
Data breaches are often in the news. But the first place you’re most likely to hear that you’ve been affected is in an email from the impacted company.
State law mandates that companies need to disclose data breaches. Unfortunately, some hackers use these emails as an opportunity to steal your information even if there hasn’t been a leak.
Fake breach emails — known as “phishing emails” — use our fear and emotional response to hacks to get us to act irrationally. A hacker will send an email claiming to be an impacted company and ask you to either:
- Click a link (which could download malware to your device and allow them to hack your email).
- Confirm your account details (which will go straight to the hacker).
If you get a breach email, don’t click any links or respond to the message as someone could be trying to scam you online. (Don’t worry if you already have. Here's what to do if you’ve clicked a spam email.)
Before you take action, confirm the breach by visiting the organization's website or searching the web.
If the breach is real, you’ll find news alerts online and a data breach notification on the website or your account page.
2. Find out what sensitive data was stolen
Next, find out what information was stolen. This helps you to understand what types of identity theft you're at risk of and how you can mitigate the damage that hackers can do.
For example, a cybercriminal can do much more damage with your Social Security number than an unused account username.
Companies will often notify you of what information was breached in an email, account notification, or FAQ.
But what can criminals do with each piece of your data?
Here are the most common data targets hackers go after and what they can do with them:
- Email — Thieves can use your email to send spam and attempt to log into other accounts that share the same email. For example, thieves may log into your bank using your Facebook email.
- Encrypted passwords — Most sites encrypt passwords. But hackers use software to crack weak ones within minutes or hours. Once they have access to your passwords, they’ll try them on as many accounts as possible. (This is why you should never reuse passwords across accounts.)
- Full name — Hackers use your name to find other publicly available information about you in your online footprint. With enough information, they can commit identity theft.
- Phone number — Cybercriminals can use your phone number for spam calls, identity theft, and SIM-jacking. This is where a thief claims your number for their own and receives all your texts and incoming calls.
- Home address — An exposed address can put you at risk of change-of-address scams, tax fraud, and other forms of identity theft.
- Credit card numbers — Thieves can use stolen credit card details to pay for goods online or buy gift cards that can’t be traced (a scam called “carding”). This is even if they don’t have your physical card.
- Social Security number (SSN) — Your Social Security number is perhaps the most vulnerable piece of information a thief can steal. With your SSN, they can commit identity theft, tax fraud, unemployment scams, loan fraud, and much more. (Plus, it's not always possible to change your Social Security number – even after identity theft.)
Pro tip: Stolen information from data breaches almost always ends up available or for sale on the Dark Web. Check what information criminals have access to using Aura’s Identity Guard Dark Web Scanner.
Once you know what personally identifying information is vulnerable, it’s time to protect yourself.
3. Secure your log-ins and add 2FA/MFA
Once you know your data has been compromised, you need to secure your accounts and limit the damage hackers can do. If you’re lucky, you’ll update your information before anyone even accesses your account.
Start by changing all your passwords. Choose a new one that is at least 12 characters long and combines upper and lowercase letters, numbers, and symbols. Also, don’t include any personally identifiable information like birthdays or pet names.
To keep track of your new, more secure passwords, consider a password manager. This is a secure tool that records your strong passwords automatically so you don’t have to worry about forgetting them.
Next, set up two-factor or multi-factor authentication (2FA/MFA) on any account that allows it.
This is an extra security measure that requires a one-time-use code in addition to your username and password to log into an account. Many people use text messages (SMS) to receive their 2FA code. But this can be compromised by hackers.
Instead, try using an authenticator app like Google Authenticator or Okta.
4. Set up a fraud alert or credit freeze
Credit and financial theft is the biggest target for identity thieves. After a data breach, you’ll want to set up a few fraud prevention safeguards to make sure your accounts haven’t been compromised.
The first option is to set up a fraud alert. A fraud alert requires credit companies to identify you before verifying a credit approval. This makes it much more difficult for a criminal to open new accounts or take out loans in your name.
Set up a fraud alert immediately by contacting one of the three major credit bureaus — Equifax, Experian, or TransUnion. According to federal law, the receiving bureau must share the alert with the other two.
A fraud alert lasts for a year unless you cancel it sooner. If you cancel it early, you’ll need to contact each credit bureau individually.
The second option is to set up a credit freeze. A credit freeze blocks all credit inquiries without affecting your credit score. Because it blocks all credit, you’ll need to disable it if you apply for a loan or buy a house or car.
You’ll need to set up a credit freeze individually at each of the three credit bureaus. The safest practice is to keep your credit frozen at all times and only unfreeze it when you need to apply for credit.
Pro tip: Aura lets you lock your Experian credit file with a single click so you can easily keep your credit safe from hackers.
5. Take special steps for healthcare, government, and financial breaches
Depending on the type of breach you’ve suffered, there may be additional steps you should take to protect yourself.
Extra steps to take after a healthcare data breach
Healthcare breaches come from hospitals, health insurance or other providers. These leaks can lead to medical fraud or even blackmail.
Here are a few extra steps to take after a healthcare data breach:
- Ask your doctor and health insurance provider for copies of your most recent medical records and benefit statements. Verify each item to make sure someone else isn’t using your benefits.
- Contact your health care providers for a list of anyone with whom they’ve shared your information. Look for any unfamiliar organizations, conditions, or insurance claims. Legally, you have the right to request this information once per year, free of charge.
- Be cautious of bills for medical procedures you don’t know about. Respond and inform the collector that you may be the victim of identity theft.
- Review your Health Savings Account (HSA) and Flexible Spending Account (FSA), if applicable. Make sure thieves have not accessed the funds in these accounts.
Extra steps to take after a government data breach or tax fraud
If a government agency is responsible for the data breach, you might need to take additional steps. This includes breaches from federal, state, or other government agencies, including the military. (Government data breaches can lead to military or veteran fraud).
In most cases, the impacted agency should reach out with guidance of what to do. But be cautious of any communication claiming to be from the government, especially emails and texts.
Another relatively common type of identity theft is tax fraud. This is where a thief uses your data to claim a tax refund in your name. If you receive a letter from the IRS informing you that someone else has filed a tax return in your name, follow the instructions provided in the letter.
Extra steps to take after a financial account breach
If the breach has come through a financial account — like a credit card company or bank — take extra precautions to protect your data.
- Call the card issuer, ask them to invalidate your credit card or debit card, and request a new one.
- If you see suspicious charges, contact the fraud department at the organization to begin resolving the charges.
- You may also need to take steps to help repair your credit after identity theft.
These steps are important to take on your own, but some additional help may also be available.
6. Consider the free support offered by breached companies
Many companies offer free services as part of their breach responses. These can include credit report monitoring or other ways of protecting your sensitive data.
These offers aren’t a guarantee against identity theft or financial harm. And you should still protect yourself from the breach in the other ways we’ve listed.
Also, take any offer of support with a grain of salt. Companies ultimately need to minimize the damage, and cost, of a data breach. And sometimes accepting their help can limit your options for seeking other damages.
For example, Equifax offered free credit monitoring after a 2017 data breach leaked data on 143 million US citizens. But some attorneys cautioned that the terms of service included in this "help" could limited you from joining class-action lawsuits against the company [*].
Either way, save any communication you receive from the company, like emails or letters. This documentation may be necessary later on as you work to protect your information.
7. Monitor other accounts for suspicious activity
Once your sensitive information has been leaked in a data breach, it can lead to other forms of fraud and identity theft. Just because a company says the leak has been resolved, doesn’t mean your data is safe.
After a breach, be especially mindful of:
- Suspicious activity on your online accounts and financial statements. This includes credit or debit card charges you don’t recognize or unfamiliar activity in your bank account.
- Unfamiliar credit inquiries, additional debt, and new accounts in your name. You can request a free credit report from each bureau once a year at AnnualCreditReport.com.
- Strange calls, emails, texts, or letters. Look for suspicious activity like failed login attempts or collection calls for unfamiliar bills.
Unfortunately, when we finally see the warning signs of identity theft, it’s often too late.
That’s why Aura takes care of almost all of these issues for you. With Aura, you get near-real-time credit and identity monitoring, fraud alerts, protection from malware and phishing attacks, and even a $1 million insurance policy for eligible damages resulting from identity theft.
8. Sign up for an identity theft monitoring service
Some of the most critical tasks for cybersecurity protection are difficult or nearly impossible for humans to do. We can’t spend all day scanning our credit statements, Dark Web archives, and up-to-date breach information.
That’s why millions of Americans use an identity and credit monitoring service like Aura.
Even if you have no idea what to do if your identity is stolen, Aura has your back.
But what if you suspect a cybercriminal has already taken advantage of your data?
The Most Recent Data Breaches: Were You Impacted?
If you use any of these services, your sensitive information could be at risk:
- Facebook: Over 550 million Facebook users had their data published online, including Facebook IDs, names, dates of birth, locations, and relationship statuses.
- T-Mobile: The most recent T-Mobile data breach in 2021 exposed data for 50 million users, including names, addresses, SSNs, driver's licenses, and device information.
- MeetMindful: 2 million users of the dating app had their PII stolen and leaked by a hacking group. (Data breaches are just one of the many dangers of online dating you should be aware of.)
- Volkswagen, Audi: Over 3.3 million owners and potential buyers of the car brand had their data leaked, the majority of which were from the U.S.
- Neiman Marcus: Over 3.1 million customers had their payment card information leaked.
- Robinhood: Close to 5 million users of the trading app had their email addresses, phone numbers, and more leaked.
These are just some of the most recent data breaches.
Remember, you can see what data has been leaked by hackers using Aura’s Identity Guard Dark Web Scanner.
Were You the Victim of a Data Breach? Do This
If you’ve discovered you’re a victim of identity theft after a security breach, what do you do?
Unfortunately, hackers can move quickly, and even the fastest response to a personal data breach can be too late.
Here’s what to do if you believe a criminal has stolen your identity:
- Secure your accounts. Update your passwords to be more secure. Set up a password manager. Enable 2FA using an authenticator app.
- File a report with the Federal Trade Commission (FTC). Go to IdentityTheft.gov and report the theft. This will provide you with necessary documentation you may need to provide to resolve fraudulent charges.
- File a report with the police. A law enforcement report can also provide documentation to help you resolve the fraud.
- Call the impacted organizations and report the fraud. Call the affected companies and ask for the fraud department. Explain you are the victim of identity theft. You can usually reverse charges for credit card fraud and similar types of activity.
- Freeze your credit and set up fraud alerts. Freezing your credit makes it harder for criminals to get access to your accounts or take out new credit in your name.
Remember, these actions don’t take place of the other steps outlined above.
How To Protect Your Private Info From Hackers
While you can’t take back exposed data, you can protect your data from future breaches. Here’s how:
Reduce the amount of data you share
The first and simplest recommendation is to reduce the amount of data you share online. This includes social media.
Decide carefully before creating new accounts. Consider deleting accounts you don’t use and removing extra account details. These can be forgotten about during a data breach. For example, if you have a credit card on file with a company or website you don’t use very often, remove it.
Use unique log-in details for each account you create
One of the best ways to protect yourself in the event of a breach is to make data hard to transfer. Don’t give hackers a skeleton key to your digital life by using the same email address, log-in, and password for every account.
Instead, use a unique password on each site and consider using different email accounts. For example, you could create one email address for newsletters and social media and another email for financial accounts.
A simple option for Gmail users is to use the + symbol to create an infinite number of addresses that all route back to you.
For example, instead of firstname.lastname@example.org, you can use email@example.com or firstname.lastname@example.org. All your emails will still go to your inbox. But hackers can’t log into your bank with the address leaked from Facebook.
Another benefit is that it can help you immediately spot phishing emails. For example, if you receive a bank notification at any address other than email@example.com, you know it’s a phishing scam.
Use every digital security measure at your disposal (2FA, credit freeze, etc.)
The final way you can protect your data from third-party breaches is to set up safeguards that thwart even a thief with your data. For example:
- Two-factor authentication (2FA) makes your accounts much harder to hack, even if a thief has your username and password.
- A credit freeze will decline loans to a thief who impersonates you.
- Strong antivirus and VPN solution protects your devices against malware and Wi-Fi hacking.
- Credit and identity monitoring will alert you as soon as anyone tries to use your information without your permission.
The Bottom Line on Protecting Yourself From Data Breaches
It feels like there’s very little we can do during a breach. We’ve entrusted our data to a third party, but that organization has betrayed that trust with poor data security and open vulnerabilities.
And for those who haven’t been victims of a breach, the question is not if a breach will reveal information, but rather when it will happen.
So stay vigilant. Protect your accounts with unique passwords. And most importantly, use every security measure at your disposal to keep your personal and financial information safe and secure.