What Should I Do If I Have Been a Victim of a Data Breach?
The actions you’ll need to take will depend on the type of data compromised.
If affected, you should receive a letter—via mail or email—telling you exactly what information was exposed and when. Federal law requires banks to inform customers of breaches; 46 states have laws mandating that other companies do the same, though large firms typically contact all customers regardless of state residency.
(Bear in mind that “phishing” scammers often take advantage of breaches, purporting to be from the breached company in hopes of getting people to reveal personal information. So to be safe, don’t click through any emails or take any direct phone calls, but visit the official company website to learn about the breach and access help.)
Notices—even legitimate ones—tend to be reassuring in tone, but don’t be fooled. Nearly one in three data breach victims also became a fraud victim in the same year, reports Javelin Strategy & Research.
If the compromised data was…
…A password Change your password for that account immediately. If you use the same code for other accounts, change those as well.
…Email address Watch your inbox for messages requesting information or requesting you to click on a link. If you receive a suspicious email from a company you do business with, call the sender to verify that they did indeed send it.
…Credit card number Call the creditor and ask for a new card with a new number. Some creditors will automatically reissue cards to affected customers in wide-scale breaches. Know however that because the number rather than the card itself was stolen, you are not liable for any authorized purchases under the Fair Credit Billing Act.
…Debit card number Since the card was not lost, you are not liable for any unauthorized transactions if you report them within 60 days of receiving your statement. Still, you should cancel the card and change your pin. If the bank account number was also exposed, close the account and open a new one with a new number. Consider asking for a verbal password, too, which prevents bank personnel from discussing your account with anyone unable to provide that password.
Read next: How Do I Fix a Suspicious Charge on My Credit or Debit Card?
…Social Security number. Contact one of the three major credit reporting agencies and have them place a fraud alert on your account. That agency will then be legally bound to notify the other two agencies to do the same. An alert lets lenders know to take extra care verifying personal information before issuing credit and entitles you to a complimentary credit report from each agency. Review this for suspicious activity. You should also place a credit freeze on your account, which will prevent a credit reporting company from releasing your credit report or score without your consent.
Sometimes the letters from breached companies also contain offers for free credit report monitoring provided by the company. While these programs are not generally worth paying for—since you can monitor your own credit for free—you may as well accept it if it’s being handed out. Monitoring services will alert you to some uses of your SSN quicker than you may be able to spot through your credit report, meaning you can resolve any problems quicker.