Many companies featured on Money advertise with us. Opinions are our own, but compensation and
in-depth research may determine where and how companies appear. Learn more about how we make money.

Learning that your information has been exposed in a data breach is always an unpleasant surprise.

These days, more of your personal data is online than ever before, with your contact info, bank account number, credit card details and medical data easily accessible on the internet, in apps and on handheld devices. Data security is critical — every day, cybercriminals target people’s personal data and steal large amounts of sensitive information.

But what do those fraudsters do with the data after they steal it? Keep reading to learn what happens to your personal information after a data breach — and what you can do to protect yourself should it happen to you.

Table of Contents

What is a data breach?

Knowing what, exactly, a data breach entails is essential to understanding the importance of protecting your information. A data breach is a security incident in which sensitive, confidential or otherwise protected data is accessed by someone without proper authorization. Data breaches can be the result of cybercriminals gaining access to a system through various malicious methods, a security flaw or just a disgruntled employee choosing to leak information.

In 2022 alone, there were 1,802 total data compromises affecting over 422 million people. These numbers were only slightly down from an all-time high in 2021, according to the Identity Theft Resource Center.

Data breaches often involve the theft of personally identifiable information, such as Social Security numbers, credit card numbers, bank account numbers, passwords or health records. Sometimes only part of your personal records are exposed, but even data breaches that don’t involve the loss of highly sensitive information should be taken seriously. Cybercriminals can use details such as home addresses found in these records in other ways.

How do data breaches happen?

Data breaches can happen in a variety of ways, but the most common methods include:

  • Hacking: This umbrella term encompasses most types of cybercrime used to gain unauthorized access to data, computer systems and networks. Such methods include phishing, malware and exploiting vulnerabilities with malformed data or brute-force attacks.
  • Insider threat: Employees or contractors with access to sensitive data may be tempted to steal it or sell access to it for personal gain.
  • Physical theft: Laptops, hard drives and other devices containing sensitive data can be stolen or lost.
  • Human error: This is one of the most common causes of data breaches and involves everything from people accidentally clicking on malicious links to using weak passwords.

What happens with personal data after a data breach?

Once your personal data is breached, it can be used for a variety of purposes. Sometimes, ransomware attackers will leave data in place but encrypt it and demand a ransom to restore it. Information can be stolen as part of a targeted attack to be used in connection with premeditated fraud, or it can be placed for sale to the highest bidder on the dark web.

Stolen data can be involved in various forms of fraud, including:

Identity theft

Identity theft is one of the most common outcomes of a data breach. A bad actor who has access to your Social Security number, bank account information, credit card number or other sensitive data may be able to open new accounts in your name, apply for loans or commit other kinds of fraud. Identity theft can have long-term financial consequences and a significant negative impact on your credit rating.

Financial losses

Though identity theft is often commonly committed to further different kinds of financial fraud, data breaches can lead to more direct financial losses. Criminals with stolen credit card numbers or bank account information can use that data to make purchases, transfer money or withdraw cash from ATMs.

Legal consequences

A data breach can have significant legal consequences for an organization that fails to prevent it. Exposing customer data can result in lawsuits, but legal liability can also include fines and fees, some of which can be quite costly. For instance, after Equifax revealed a data breach in 2017 that affected 147 million people, it had to pay up to $700 million as part of a massive settlement.

Cybersecurity risks

Though data breaches are frequently the result of cybersecurity risk, fraudsters can use even relatively innocuous data like your full name to commit additional crimes. Names, birthdates, anniversaries, addresses and phone numbers can all be pieced together to gain unauthorized access to your data or impersonate you.

What to do after a data breach

In the event of a data breach, you’ll want to take steps to contain the damage and reverse it. At a minimum, you should:

  • Contact your banks and credit card providers to let them know your data was compromised. Ask them to immediately freeze or cancel your existing credit cards and send replacements.
  • Reach out to the major credit bureaus (Experian, TransUnion and Equifax) to report the breach and place a fraud alert on your credit file.
  • Carefully monitor your bank accounts and credit card statements for any suspicious activity. If you spot something, report it immediately.
  • Change the passwords for all of your online accounts, including those tied to your credit cards, banks, utility companies and social media profiles. Always use unique, hard-to-guess passwords with strong characteristics for each site or service.
  • Consider signing up for an identity theft monitoring or protection service that will alert you immediately if any unexpected or unusual charges appear under your name.

How to prevent data breaches

While it’s essential to take steps to minimize the fallout and to know how to protect yourself after a data breach, there are things you can do proactively to prevent them from occurring. Whether you’ve been the victim of a prior data breach or not, it’s important to try to protect your personal data from falling into the wrong hands..

Some of the best tools you can use to safeguard against a data breach include:

Strong passwords

Always use strong, unique passwords to protect your online accounts. A secure password should be a minimum of eight characters long and contain a combination of upper and lowercase letters, numbers and special characters like punctuation, according to the federal Cybersecurity and Infrastructure Security Agency.

Avoid reusing passwords across accounts. Remember that even the most robust password used twice is significantly less secure than weaker but unique passwords. Separate passwords can prevent cybercriminals and would-be identity thieves from accessing more than one account.

Multi-factor authentication

Multi-factor authentication, sometimes called two-factor authentication, is an additional layer of security that requires you to provide additional identifying information, such as a one-time code sent via text or a code provided by an authentication app, as part of the login process. This information is valid for a brief period of time and then gives you access to your account.

It may seem like an inconvenience, but a momentary delay and a little extra effort can help protect your information and your accounts from data breaches.

Regular software updates

Make it a priority to frequently update your operating system, virus scanner and any other security software you may use.

These updates might always seem to occur at the worst moment, but they serve the essential function of keeping your phone and computer systems secure. Software vendors often release updates specifically to patch security vulnerabilities, so making sure your software is up to date is critical.

Data encryption

Encrypting data is another way to protect it from being exposed in a breach. Encrypted data can’t be accessed without first decrypting it, which often requires passwords and other methods of authentication. Even if attackers manage to gain access to your data, it’s useless to them if they can’t read it.

Data encryption scrambles data in a way that makes it unreadable and impossible to access for anyone without the proper security credentials. Commonly available commercial encryption algorithms are robust and widely considered unbreakable by cryptography experts.

FAQs on what to do after a data breach

What type of encryption is recommended after a data breach?


The best type of commercially available encryption for protecting personal data at any time is 256-bit encryption. This level of encryption is available through applications like PGP or its open-source alternatives.

Though there are more complex encryption algorithms, 256-bit is considered sufficiently difficult to be unbreakable using current computational methods. It's recommended that you encrypt any sensitive information using this level of encryption — especially if you have been the victim of a prior data breach.

How are data breaches investigated and prosecuted?


Data breaches often involve interstate or international electronic activity, so they are generally investigated by state, federal or international law enforcement agencies. In some U.S. cases, the IRS may get involved if a case of identity theft extends into tax fraud.

Depending on the severity of the data breach, any fraudsters apprehended in connection with a verified hack may be subject to criminal charges and get hit with hefty fines or lengthy prison sentences.

What types of data are typically stolen in a data breach?

The types of data stolen in a data breach can vary widely, and often the attackers may not know what kind of records they have accessed or how complete the records are. The most common types of targeted data include passwords, credit card numbers, Social Security numbers, driver's license information and other personally identifiable information such as Medicare or Medicaid patient ID numbers.

How can I protect myself from data breaches?


Using strong and unique passwords, enabling multi-factor authentication on all your accounts, keeping your software updated and encrypting sensitive data whenever possible will significantly reduce your risk of being affected by a data breach.

It's always a good idea to keep an eye on your credit card statements and regularly check your credit report for any suspicious activity. Consider signing up for an identity theft protection service that will notify you of any unusual activity associated with your name.

Summary of Money’s guide to what happens to my personal information after a data breach

Data breaches are becoming increasingly common, with more and more people learning their data has been exposed, stolen or found on a dark web repository. With targets ranging from governments and large financial institutions to small businesses and even individual accounts, the amount of data stolen in any one breach can range from just a few records to millions of database entries.

The stolen data may seem harmless, but even trivial details can be pieced together to commit identity fraud, open new accounts in your name, apply for loans or steal your money.

It’s important to take steps to protect your personal data from falling into the wrong hands. This can pay significant dividends. It will keep your information as safe as possible and your financial accounts under your control. The importance of strong and unique passwords can’t be overstated. Though multi-factor authentication can take extra effort and time to use, anyone who has received a random login attempt notification can tell you it was a relief to have in place.

You’ll also want to keep your security software updated and conduct regular scans of all of your computing devices to ensure they’re malware-free. Consider encrypting any especially sensitive information and signing up for identity theft or credit monitoring services to get the earliest possible warning of fraudulent activity.