If your data is breached, knowing what to do next can help protect your personal information.
The internet can make life more convenient–but it can also add wrinkles if your personal or financial information is compromised in a data breach.
Check the news on any given day and odds are, you’re likely to read about a company or business reporting a data theft. According to a report from the Identity Theft Resource Center, the number of data breaches reported through the third quarter of 2021 surpassed the number of breaches reported for the entirety of 2020.
Learning that your personal or financial information has been stolen can be stressful to say the least. But there are some things you can do following a data breach to minimize any potential fallout.
What is a data breach or a security incident?
A data breach is an incident in which information is accessed or stolen without authorization from the owner of that information.
Data breaches can take different forms. For example, the kind that often makes the news involves hackers breaking into a company’s online systems to steal personal or financial information. Ransomware attacks, in which hackers hold information for ransom, are another type of data breach. Other examples of data breaches include malware attacks, phishing scams and payment card fraud.
According to the ITRC report, there were 1,291 data breaches reported through the third quarter of 2021. That means on average there were 143 data breaches per month. Altogether, an estimated 160 million victims had their information compromised because of a data breach.
Common targets for data breaches include industries that maintain extensive databases of personal and financial information. For example, previous targets of major data breaches have included:
- Microsoft
- Yahoo
- Alibaba
- MyFitnessPal
- Spotify
- Equifax
- Experian
- Capital One
- Home Depot
- Target
These companies represent different industries but they have one thing in common: They all deal in personal and/or financial information in some way. In terms of cost, the average data breach in the U.S. comes with a price tag of $4.24 million, according to a report from IBM.
What steps should consumers take if impacted by a breach?
If you find out your data has been breached, don’t panic. It’s important to keep a level head and figure out what you can do to protect yourself and your bank accounts as much as possible from any misuse of your information.
With that in mind, here are some action steps you can take after a data breach.
1. Update your passwords
The first thing you may want to do after a data breach is change your passwords. If a hacker has your account login user name and your password, they could wreak a lot of havoc in a very short amount of time. So it may be wise to change passwords for:
- Bank accounts
- Credit card accounts
- Email accounts
- Social media accounts
- Any accounts that you’ve linked a debit card, credit card or bank account to
- Any accounts that you use to access financial information (such as insurance accounts, investment accounts, credit monitoring accounts, etc.)
When updating passwords, pick a strong password that includes a combination of upper- and lowercase letters, numbers and special characters. Using a password manager can help you keep track of passwords that you use online.
2. Activate multi-factor authentication
Multi-factor authentication adds another layer of security protection for your online financial and personal accounts, beyond just creating a strong password.
For example, you may need to enter a special code you receive by text or email in order to complete the login process when multi-factor authentication is turned on. Or you may need to scan a QR code to finish logging in.
It can take a little time to set up multi-factor authentication but it can be worth it to keep your information out of the hands of hackers.
3. Monitor account statements and report unauthorized transactions
Following a data breach, it’s important to pay close attention to bank account statements and statements for other financial accounts. Specifically, you should be looking for any suspicious transactions or unauthorized purchases, as those can be a sign of fraud.
If you spot a purchase or transaction you don’t recognize, it’s important to report it as soon as possible. This is important not only for preventing further unauthorized activity but also for minimizing your liability for those charges. If someone steals your debit card number but not your card and uses it to make fraudulent purchases, you’re not liable for them if you report those transactions within 60 days of your statement being sent to you, per federal law.
You can also set up banking alerts to notify you each time there’s new activity on your account. For example, you may be able to set up alerts for new debit transactions, new external accounts linked to your account, failed login attempts or changes to your password or personal information.
Pro tip: If your bank account includes card locking as a feature, you can log in online or through your mobile app to disable your card and prevent additional purchases.
4. Place fraud alerts with credit bureaus
Anyone who suspects fraud can place a fraud alert on their credit reports. When a fraud alert is in place, it requires businesses to verify your identity before opening credit accounts in your name.
If you want to place a fraud alert on your credit reports after a data breach you can contact any one of the three major credit bureaus, Experian, Equifax or TransUnion. The credit bureau you place the fraud alert with has to notify the other two bureaus to do the same.
Fraud alerts are free and they stay in place for one year. If you’ve had your identity stolen and completed an FTC identity theft report, you can place an extended fraud alert which is good for seven years.
5. Review credit reports annually
Following a data breach, it’s a good idea to keep an eye on your credit reports. You can get a copy of your credit report once per year free from each of the three major credit bureaus. You’ll need to request your free credit reports through AnnualCreditReport.com.
When reviewing your credit reports, look for anything out of the ordinary, including:
- Credit accounts you don’t recognize
- Inquiries for new credit you don’t remember making
- Judgments or other public records
- Changes or updates to your personal information
If you spot anything that looks suspicious, you can reach out to the credit bureau that’s reporting the information to report fraud and dispute the information.
Pro tip: Consider placing a credit freeze on your credit reports, which would prevent any new accounts from being opened in your name.
6. Sign up for credit monitoring or identity theft protection if available
Credit monitoring services can help you track changes to your credit score month to month. For instance, if an identity thief opens a new credit card account in your name, the inquiry would show up on your credit report which could drop your score by a few points.
There are plenty of free credit monitoring services to choose from, though others charge a fee. Comparing the monitoring services offered and the costs, if any, can help you decide which service to use.
You may also be able to take advantage of identity theft resolution or protection through your credit card. A number of cards offer built-in protections and solutions to help you resolve identity theft if your card is used to make unauthorized purchases or cash advances.
Who is responsible for damages after a breach?
When a data breach happens, it’s important to report unauthorized transactions in a timely manner. As mentioned, this can affect your level of responsibility for those charges. Here’s what your liability may be under federal law:
If you report a lost or stolen debit or ATM card: | Your maximum loss is: |
---|---|
Before any unauthorized charges are made. | $0 |
Within 2 business days after you learn about the loss or theft. | $50 |
More than 2 business days after you learn about the loss or theft, but less than 60 calendar days after your statement is sent to you, | $500 |
More than 60 calendar days after your statement is sent to you. | All the money taken from your ATM/debit card account, and possibly more; for example, money in accounts linked to your debit account. |
Federal law caps liability for stolen credit cards at $50, though many card issuers offer a $0 liability fraud guarantee.
If new accounts are opened using your personal information, you should report suspected fraud to the creditor and to the credit bureaus. You can also fill out a police report and file an Identity Theft Affidavit with the FTC in order to get those accounts closed. If a creditor fails to respond to your request to have a fraudulent account closed, you can file a complaint with the Consumer Financial Protection Bureau.
Don't let data breaches wreck your finances
A data breach can be unpleasant to deal with but you can regain the upper hand when someone steals your financial or personal information. Knowing how to spot the signs of potential identity theft–and what to do next–could make recovering from a data breach easier.
Data Breach FAQs
What is the definition of a data breach?
A data breach is unauthorized access or theft of personal or financial information. Data breaches can take different forms, including ransomware attacks, malware attacks, phishing schemes, and credit card skimming.
How do I know if my data has been compromised?
If you see that a company you use has been targeted by a data breach, the company may reach out to let you know that your information has been compromised. You can also use an online database like HaveIBeenPwned.com to check and see if your email or phone number have been compromised in a data breach.
What are the best steps I can take if my data has been breached?
The best steps to take after a data breach include updating passwords and login information, setting up multi-factor authentication, reviewing financial account statements and credit reports, setting up fraud alerts and monitoring your credit history. Timely action could help to minimize the damage from a data breach.