At this point, you can bet a hacker has made off with some of your personal information. The number of data breaches hit an all-time high in 2014, according to the Identity Theft Resource Center. An estimated 86 million records—including credit card and debit card numbers—were compromised, with Kmart, Home Depot, and Staples among the companies that saw the greatest data spillage.
Perhaps the worst scare yet, however, came in early 2015, when health insurer Anthem reported that hackers accessed its customers’ Social Security numbers—pure gold to an ID thief. “This one is a nightmare,” says Ed Mierzwinski of advocacy group U.S. PIRG.
But you may be too weary to heed the wake-up call. Almost a third of Americans who receive breach notifications ignore them, privacy research group Ponemon Institute has found. While you can’t panic over every breach, you also can’t afford to get complacent. How much to worry and what action to take depend on what data you learn have been compromised.
YOUR SOCIAL SECURITY NUMBER
How much to worry: A lot. A fraudster could apply for credit in your name, and you could spend years repairing your records, says Paul Stephens of the Privacy Rights Clearinghouse.
What to do: Check your credit reports ASAP for unusual activity. You’re entitled to one free copy per year from each of the credit bureaus (Equifax, Experian, TransUnion) via AnnualCreditReport.com. At minimum place a free 90-day fraud alert with one of the bureaus, which will inform the other two. This alert tells lenders to confirm your identity before extending credit.
A better move: Freeze your credit, preventing anyone from getting loans in your name. On the downside, you’ll pay up to $10 per credit bureau to place a freeze and up to $12 per bureau to lift it when you apply for new credit. A hassle, yes, and costly. “But for someone worried about ID theft, it’s the best $30 you can spend,” Stephens says.
How much to worry: Depends on what kind of site was hacked and whether you reuse passwords (61% of people do, identity protection firm CSID found).
What to do: Ideally, you’d change your password on the breached site and all others on which you used the same code. But if the idea of that much work leaves you paralyzed, the least you need to do is change codes for the most critical accounts (like email and financial sites), says Joseph Bonneau, technology fellow at the Electronic Frontier Foundation. And where it’s an option, set up two-factor authentication, which requires you to input an additional piece of information to log in. That will make it harder for hackers to break into your account next time a password is compromised.
YOUR CREDIT CARD NUMBER
How much to worry: Very little. When criminals steal just a credit card number, you’re not liable for any fraudulent charges, notes Chi Chi Wu of the National Consumer Law Center. With a debit number, you’re not liable for unauthorized charges you report within 60 days of getting your statement, and often banks will make you whole even if you don’t report until later. (The laws are different when a card itself is stolen, but, again, many issuers have zero-liability policies.)
What to do: Simply read your statements carefully, says U.S. PIRG’s Mierzwinski. Call the issuer if you see charges you don’t recognize, he says, “though usually your bank calls you first.” Don’t assume credit monitoring—which many breached businesses offer to customers for free—will do the job for you, Wu says. The services only tell you when a lender checks your credit, not when charges are run up on an existing account.
OTHER PERSONAL INFORMATION
How much to worry: Very little. Criminals can’t commit ID theft with just your name, birth date, or email—though they may try to “phish” for more info by posing as legitimate businesses.
What to do: Stay vigilant. Avoid clicking on links in emails. And when a financial institution calls, hang up and call back. Better to seem rude than get rooked.