What Should I Do if My Info Is Stolen in a Data Breach?

If you discover you’re the victim of a data breach, you should change your account passwords, set up a fraud alert at your bank and freeze your credit if you were directly affected. Ensure you continue to monitor your accounts for suspicious activity, as data breaches could lead to your information being used for identity theft and fraud.

Keep reading to learn more about data breaches, what to do after one happens and how to help prevent them in the first place.

What Is a Data Breach?

A data breach occurs when your confidential, protected or sensitive information is accessed or shared without your consent. This information can then be used to steal your identity and money. While the definition can vary between states, a breach typically consists of your first and last name alongside one or more of the following being stolen:^[1]

• Social security numbers
• Driver’s license number
• Medical history
• Credit card data
• Passwords
• Biometric information

While often linked to a company's security failure where customer data is compromised, it can also happen on a smaller scale when an individual is targeted. Data breaches are often the result of malicious third-party actors, like hackers or scammers, who steal your information by bypassing your digital security. Scammers may use phishing emails to trick you into sharing your information, often by disguising a malicious link as a sale offer or a warning that you'll lose money if you don't click.

However, a data breach may also be accidental, such as sending an email containing your sensitive information to the wrong person or leaving storage settings as public instead of private so anyone can access them. Often, a data breach may be no fault of your own, but instead, due to an organization you consented to have your information, such as a bank or hospital, having a breach in their security system.

7 Things To Do Immediately After a Data Breach

Below, we’ll discuss some of the immediate steps you should take if you suspect you may be the victim of a data breach.

1. Identify the Breach

If you are the victim of a data breach, you may notice unexpected bills, charges on bank statements, unexplained changes to your credit card or medical bills for services you didn’t have. If you recently had your wallet stolen, saw someone rooting through your trash after you threw out mail or were the victim of another data breach recently, it may be worth checking your accounts’ security to determine if a breach happened and where so you know who to notify.

If your data breach was due to a security failure or leak on the part of an organization that holds your data, all 50 states and Washington, D.C., have data breach laws that typically require organizations to inform any individuals suspected of being involved in a data breach.^[2]

2. Change Your Passwords

While changing your passwords regularly is a healthy habit, you should reset your passwords after a data breach and improve their security. Avoid using the same password for multiple locations. If one account is compromised, a hacker may be able to access other accounts using your stolen credentials, making the data breach even worse. Instead, use unique passwords that feature variations of capitalized and lowercase letters, numbers and symbols to make them harder to guess.

3. Enable Two-Factor Authentication

Two-factor authentication (2FA), or two-step verification, adds an extra layer of security by requiring a code generated at login to access your account. These codes are often generated through an app or sent by text, email or phone call. Generated on the spot and often requiring another device like a phone, two-factor authentication codes can prevent hackers from accessing your accounts, even if they have your login information.

4. Monitor Your Financial Accounts

You should look for unaccounted-for activity on your financial statements. Many banks use fraud alerts that could flag your account if they suspect fraudulent activity, but paying attention to any unexplained purchases is still crucial. If you share your account with a spouse or family member, ensure you remain up-to-date on any notable activity so you can tell the difference between regular spending and a potential data breach.

5. Notify Your Bank and Credit Card Companies

After securing your accounts, you should notify your bank and credit card companies so they can act before your information is used to make fraudulent purchases. This may result in a replacement card being sent to you or your cards being frozen. Keep in mind that even if your financial data wasn’t immediately affected, hackers may be able to use information gathered from your stolen data to access it later. 

6. Freeze Your Credit and Place a Fraud Alert on Your Accounts

If the breach involved your Social Security number, consider placing a fraud alert on your credit file. Fraud alerts serve as a "red flag" to creditors, signaling potential fraud or identity theft and helping prevent further breaches if your stolen data reaches multiple bad actors. This raises skepticism toward suspicious activity and could prevent new lines of credit from being opened without your consent. 

You could also freeze your credit, which prevents identity thieves from opening new lines of credit under your name. However, it also prevents you from opening new lines yourself and stops organizations from viewing your credit report. You’ll need to contact at least one of the three nationwide credit reporting agencies, Equifax, TransUnion or Experian, who will forward the freeze request to the remaining two agencies.^[3]

7. Review Credit Reports

You can check your credit report to help spot any unusual activity, which may help you lessen the impact of a data breach. If you notice any accounts or addresses that don’t match your own, you may be a data breach victim and should consider freezing your credit.

A free credit report from the three nationwide credit reporting agencies is available once annually.^[4]

How To Protect Your Identity and Data Long Term

The best way to mitigate the damage caused by a data breach is to prevent it from happening in the first place. Below, we’ll cover a few tips on what to do to help safeguard your personal data.

Sign Up for Identity Theft Protection

Identity theft protection services help monitor your personal information and alert you automatically if fraudulent activity is suspected on your accounts. They also often feature identity restoration services, which may cover fees associated with identity theft, such as legal fees or lost wages, alongside reimbursement for stolen savings. It can take weeks to years of significant effort and costs to undo the damage of identity theft without assistance.^[5][6]

Some insurance companies may also offer identity theft insurance, which helps cover out-of-pocket expenses associated with having your identity stolen. Unlike identity theft protection, however, identity theft insurance typically doesn’t offer preventative services or alerts. Instead, this coverage only comes into play after your identity has been compromised and you’ve been financially impacted.^[7]

Monitor for Phishing Scams

Phishing scams involve tricking the victim into giving up their personal information, such as their bank information or credit card numbers. These scammers present themselves as legitimate, such as an online retailer claiming you made a several-hundred-dollar purchase and that they’ll quickly refund you if you let them access your bank account.

Be on the lookout for emails or messages asking for your personal information and links in emails that are misspelled, have missing words, or indicate an unknown web address when you hover over the link.

If you want to call the company, look up their customer service number on their official website.

Update Your Security Software

Hackers often exploit vulnerabilities in your security software, operating system, internet browsers and applications to get access to your data. To better combat hackers, developers often send updates to their code to remove vulnerabilities in their security software, including your firewall and antivirus. You may be able to prevent missing a vital vulnerability fix by turning on the automatic update feature included in many software packages.

Use Stronger Passwords and Encryption

Increasing the variation within your password can make it more difficult for identity thieves to guess. Passwords with random characters and numbers are less straightforward to guess than those containing your name, birthday or other easily findable information.

If you save files on your computer, such as a spreadsheet with financial information, it may help to encrypt them. This keeps them from being accessible without a unique key or password, so even if someone manages to steal your files, they won’t be able to see what’s in them without overcoming additional security.

Avoid Using Public Wi-Fi When Dealing with Sensitive Information

Public wifi, often found in stores and cafes, could use unencrypted networks that allow hackers to view your activities while connected. Do not sign into sensitive accounts or make any purchases while connected to a public network. Otherwise, an unwanted third party may be spying on your online banking activity, account login information and private messages.

How To Report a Data Breach

After securing your accounts, contact the U.S. Federal Trade Commission (FTC) and file a report on their website, IdentityTheft.gov.^[7] Filing with the FTC creates a paper trail documenting the data breach and should provide you with a recovery plan for mitigating the damages caused. You may then consider placing a report with your local law enforcement, which can help serve as evidence alongside an FTC report if you have identity theft insurance and need to make a claim.

Ensure you contact your bank and other organizations with which you may have a compromised account to inform them. Many will provide steps to improve your account’s security and may increase their surveillance for fraudulent activity.