7 Steps to Take Right After a Data Breach
When I heard the news of the credit reporting agency data breach in September 2017, my first question was whether I was one of the millions of potential victims whose personal information could be in the hands of the hackers. The next question that came to mind was: What should I do now?
It can seem like we live in a world where cybersecurity threats are becoming routine, if not expected. Even when we take precautions to try to ensure that our personal information is kept private, third-party entities that hold our information may suffer breaches, exposing our data.
When an organization that holds your personal information suffers a breach, you as a consumer need to know what steps to take—and quickly. The steps will vary, depending on the circumstances of the breach and the sensitivity of the stolen data. First, consider your specific situation:
- Confirm a breach occurred, affecting your information
- What type of data breach occurred?
- Was my information exposed in the breach?
- Has my Social Security number and other sensitive personally identifiable information (PII) been stolen, or is the exposed data more limited?
- Are the hackers doing anything with my PII yet, such as using it to commit identity fraud?
In this article, we’ll discuss several data breach types to illustrate the varying degrees of sensitive information that could be exposed—and data breach response actions that consumers should take in each scenario.
Your Data Breach Response Checklist
Get confirmation of the breach and whether your information was exposed.
The first step is to confirm that a breach actually occurred. This doesn't mean that you've received an email saying there's a breach and you believe it. When a data breach occurs, scammers may reach out to you posing as the breached company to try to obtain more of your personal information. Don't fall for fake emails. Go to the company's secure website and/or call the company to confirm the breach and whether your information was involved.
For example, a web-services provider notified affected consumers by email and posted the text of the email notifications so they could confirm an email's validity. A credit reporting agency established a website and a call center to help consumers determine if their personal information was among the breached data.
Find out what type of data was stolen.
Why does the type of information exposed matter? While stolen credit cards and the like can be canceled and replaced, it's quite difficult to obtain a new Social Security number. And fraudsters can do a lot more with your SSN and other unique, sensitive PII than they can accomplish with an email or credit card account.
Three well-known data breaches are examples of the different types of data that can be exposed in a breach:
- A big-box retailer's security breach was discovered as part of an ongoing investigation in 2013. The stolen data included the credit and debit card information-names, mailing addresses, phone numbers and email addresses of up to 70 million consumers.
- The largest U.S. data breach occurred in 2014 at a web-services provider, when 3 billion user accounts were compromised. The stolen information may have included names, email addresses, telephone numbers, dates of birth, passwords and security questions.
- In the 2017 credit reporting agency data breach, the hackers stole potentially 145.5 million Social Security Numbers, birth dates, addresses, and in some cases driver's license numbers-all very sensitive PII that could enable hackers to do much more than commit credit card fraud. Hackers who have access to unique, sensitive data like your Social Security number can essentially assume your identity and file fake tax returns, rent or buy properties, apply for employment benefits, and commit other criminal acts in your name, as we explain here.
Because each of these data breaches generally involved different kinds of data, they had varying degrees of sensitivity. While the web-services provider data breach is considered the largest in U.S. history, it may not be as damaging to individuals as the credit reporting agency breach since it didn't involve Social Security numbers. So, as we share below, while all 7 steps are important in each type of breach, more steps will need to be taken in data security failures where the exposed information was more sensitive.
Accept the breached company's offer(s) to help.
If the breached company offers to help repair the damage and protect you for a certain amount of time, unless there have been issues with their offer, take them up on it. For example, after its 2017 breach, the credit reporting agency offered credit file monitoring and identity theft protection.
Change and strengthen your online logins, passwords and security Q&A.
It's important to immediately change your online login information, passwords, and security questions-and-answers for the breached account(s)-along with your other accounts if they have similar passwords and security Q&A-to limit the reach of the hackers' arms.
This step was especially important for victims of the web-services provider's data breach due to stolen email accounts. It's also important to strengthen your security by taking precautions like turning on two-factor authentication.
Contact the right people and take additional action.
This is where the type of data stolen really comes into play. If your credit and/or debit card information was stolen, as it was in the big-box retailer's data breach, you should reach out immediately to your financial institution(s) to cancel your card and request a new one.
However, if more sensitive personal information like your Social Security number was stolen, as it was in the credit reporting agency's breach, you could potentially more easily become a victim of identity theft or fraud. The FTC recommends:
- If the company responsible for exposing your information offers you free credit monitoring, take advantage of it. It does pay to recognize the limits of credit monitoring.
- Obtaining your free credit reports from AnnualCreditReport.com to look for activity you don't recognize
- Considering a credit freeze for your accounts with the three major credit report agencies. Such a freeze makes it more difficult for someone to open a new account in your name.
- Filing your taxes early, before a scammer has the opportunity to use your exposed Social Security number to file a fraudulent tax return.
If your driver's license number was exposed, you also will need to contact your local Division of Motor Vehicles. The DMV may have you apply for a duplicate or flag your number to catch anyone trying to use it.
Stay alert; monitor your accounts closely.
It's important to stay alert and watch for signs of new activity. For example, in cases where Social Security numbers were stolen, the hackers and others who put their hands on the numbers may use them now-or wait years for a time when victims may be less likely on alert. That's why it's important to follow the breach-related steps noted in number 5 above when your Social Security number is exposed.
File your taxes early.
Whether you know your Social Security number has been stolen or just want to take precautionary measures, another good best practice for anyone in today's cyber threat landscape is to file your taxes early. This way you may be able to beat fraudsters to the IRS, making it less likely they'll commit tax-refund identity theft using your Social Security number.
Bottom Line: Be Alert and at the Ready
In the wake of a data breach, remember that the breach alone doesn't mean you're immediately a victim. But if sensitive data like Social Security numbers are stolen, you could potentially become a victim down the road. Unlike credit card numbers, you can't easily change your Social Security number, so the identity theft risk remains.
The important thing is to stay alert and know what to look for, even as you strive to keep your personal information as secure as possible. If you do see red flags, be ready to take the appropriate actions we've outlined to help protect yourself.
If you want more details on what to do when different kinds of personal information are exposed, visit the FTC's identity theft website.
Editorial note: Our articles provide educational information for you. Norton LifeLock offerings may not cover or protect against every type of crime, fraud, or threat we write about. Our goal is to increase awareness about cyber safety. Please review complete Terms during enrollment or setup. Remember that no one can prevent all identity theft or cybercrime, and that LifeLock does not monitor all transactions at all businesses.