Seven Things to Do Right Away If You're a Victim of a Data Breach
In today's digital age, data breaches have become all too common and leave unsuspecting consumers vulnerable to a host of identity theft issues.
In today's digital age, data breaches have become all too common and leave unsuspecting consumers vulnerable to a host of identity theft issues. From AT&T to National Public Data, no industry seems to be safe from determined hackers. Last year alone, 17 billion records were exposed in reported data breaches, according to Flashpoint.com, a Washington, DC based cybersecurity risk management firm.
If you've been notified by your credit card company, a retailer you visit often or another trusted source that your sensitive information has been compromised, you'll need to act fast. Taking action within the first 48 hours is the difference between stopping identity thieves dead in their tracks or having them wreak havoc on your financial life for months to come, suggests Carrie Kerskie, president of Kerskie Group LLC, a Naples, Fla.-based company that helps identity fraud victims recover.
We've combed through our archive of tried-and-true advice, spoken with industry experts, and reviewed the Federal Trade Commission's consumer tips to find out what steps you should take immediately after discovering you're a data breach victim. Here's where to start.
1. Find out what information was compromised
Discovering that your sensitive personal information has been compromised can be scary. Even still, that's not an excuse to let panic stop you from taking the appropriate measures before it's too late. First, you'll want to find out what information was compromised, says Andrew Schrage, co-owner of the personal finance blog MoneyCrashers.com. This step is vital, because depending on the type of information that was exposed you may need to address it more urgently.
For example, in 2024 the UnitedHealth Group cyberattack at its Change Healthcare unit data breach included Social Security numbers, credit card data, bank account numbers, medical record numbers, providers, diagnoses, medicines, test results and more. An identity thief using your Social Security number to open new lines of credit can be detrimental to your credit history for months afterwards. In this scenario, you would want to immediately notify the major credit bureaus, your credit card provider, and your bank. But a data breach that exposes only phone numbers and e-mail addresses isn't nearly as severe and wouldn't warrant an immediate response.
If you are unsure about the appropriate course of action, go to the Federal Trade Commission's (FTC) IdentityTheft.gov/databreach website for recommendations on how to proceed based on the type of personal information that was exposed in any particular breach.
2. Change your passwords
Armed with your sensitive personal information, it may not take skilled hackers long to figure out the password to your e-mail or bank account — especially if it's something as simple as your birthday or pet's name. That's why you should change the passwords to all of your pertinent accounts as soon as possible.
To avoid having to remember a long list of online passwords, use a password manager. We often recommend LastPass, which uses a browser extension to store multiple account passwords and encrypts that information. To help make it easier, you'll only need to remember the LastPass password rather than a long list of passwords. The service includes a multifactor authentication login process. This means in addition to inputting your "master" password, you'll have to input a special code sent to a secondary device (such as a text message to your smartphone) before the login process is complete.
LastPass offers several different plan types including a free version. Their premium plans, which range in price from $3 to $7 per month, are available for personal or business use and include encrypted file storage.
3. Sign up for transaction alerts
To help prevent further fraudulent activity, be sure to sign up for transaction alerts for your bank and credit card accounts. In doing so, you'll be notified by e-mail or text message whenever there's a new charge to your account.
Be sure to set up the notifications for the lowest transaction amount possible. That's because crooks will test accounts with small charges first before making larger ones. If you start to see charges you don't recognize, contact your bank or card issuer immediately.
4. Initiate a fraud alert
For an added layer of protection, consider placing a fraud alert on your credit reports. (You can request a fraud alert if you've been a victim of a data breach or if your wallet, Social Security card or other form of personal identification has been lost or stolen, according to the FTC.) A fraud alert requires a business or financial institution to verify your identity first before issuing a new line of credit. It's free and remains active for one year. If necessary, you can even renew it.
- How to do it: Contact one of the major credit bureaus and request a fraud alert on your credit report. Each credit bureau is required to notify the other bureaus about the alert. Make sure your most recent contact information is on file.
5. Freeze your credit
If you want to lock down your credit even more, put a freeze on your credit (also referred to as a security freeze). With a freeze, potential new creditors aren't even able to access your credit history to determine if you're eligible for a loan or new credit card. When the time comes to lift the freeze — say, you're looking to purchase a home or buy a car — you can do so temporarily and reinstate the freeze later.
A credit freeze is free. To get started, you'll need to contact all three major credit bureaus (Equifax, Experian and TransUnion). The quickest way to do this is over the phone or online. You'll want to have your Social Security number, birth date and home address handy, because you'll be asked to supply this information to help verify your identity.
Managing a security freeze is simple, and in most cases you can do it on your own, Griffon Force's Kerskie notes. On Equifax.com, for example, you can log into your account to set up a freeze, lift it temporarily or cancel it.
6. Monitor your credit report
Chances are, you'll be on high alert in the weeks and months after your sensitive personal information has been compromised in a data breach. This is the time to be extremely vigilant and keep a close eye on your credit report. Doing this will help you flag any suspicious activity as soon as it happens.
There are several sites and online services where you can get a free copy of your credit report on a weekly, monthly or annual basis:
AnnualCreditReport.com: This is the only place where you can request a complete report from all three major credit bureaus annually. The report will be dense with text, and the level of detail can be overwhelming.
CreditKarma.com: Register to get weekly, comprehensive updates on your Equifax and TransUnion credit reports. The site also provides financial calculators and other resources to help you better understand your credit history.
Experian: You'll have to register and create an account on their website to receive a free updated Experian credit report every 30 days. You can also get notification alerts to help identify potentially fraudulent activity.
Also, don't underestimate the importance of carefully examining your banking and credit card statements, advises Kimberly Palmer, a personal finance expert for NerdWallet.com. "Sometimes the first sign of identity theft is an erroneous charge on a monthly statement," she says.
7. Beware of phishing scams
E-mail addresses and phone numbers are often included in data breaches. For example, contact information for 3 billion people was exposed in the National Public Data data breach this year. Armed with this information, crooks can target unsuspecting victims with e-mails, text messages or phone calls aimed at tricking them into divulging more personal information — or even collecting money. In many cases, they'll pose as official representatives of a financial institution or a federal government agency. They may try to pressure you on the spot into making a payment for an overdue bill or threaten legal action.
It's important to remember that a federal government agency, such as the IRS, won't ever call you and request payment of any sort over the phone. The IRS always sends notification via snail mail if there's a legitimate situation that needs to be addressed.
With potential e-mail scams, don't click on any links or open attachments that look suspicious. Doing so could infect your computer or smartphone with malware, allowing scammers to gain access to your device without your knowledge.
Lastly, never authenticate yourself over the phone when contacted by someone you aren't sure is who they say they are. If you're doubtful, look up the phone number for the institution this person is claiming to represent, and call it to see if it actually contacted you.
Get Kiplinger Today newsletter — free
Profit and prosper with the best of Kiplinger's advice on investing, taxes, retirement, personal finance and much more. Delivered daily. Enter your email in the box and click Sign Me Up.
Browne Taylor joined Kiplinger in 2011 and was a channel editor for Kiplinger.com covering living and family finance topics. She previously worked at the Washington Post as a Web producer in the Style section and prior to that covered the Jobs, Cars and Real Estate sections. She earned a BA in journalism from Howard University in Washington, D.C. She is Director of Member Services, at the National Association of Home Builders.
- Donna LeValleyPersonal Finance Writer
-
NJ Taxes Electric Vehicles? More Ways to Save
State Tax Discover alternative savings now that New Jersey is phasing out its sales tax exemption on EVs.
By Kate Schubel Published
-
Humana Stock Sinks on Weak Medicare Star Ratings: What to Know
Humana stock is spiraling Wednesday after the CMS provided preliminary Star Ratings data for the insurer's 2025 Medicare Advantage plans.
By Joey Solitro Published
-
Riches vs Wealth: A Cautionary Tale From 'The Hobbit'
The story of dwarven king Thorin Oakenshield in J.R.R. Tolkien's classic novel perfectly illustrates how the relentless pursuit of wealth can undermine the fulfilling experience of true riches.
By Richard P. Himmer, PhD Published
-
In Defense of Insurance Agents and Brokers
People who sell insurance are often not consumers' favorite people. Here are some reasons why you might want to give insurance agents a break.
By Karl Susman, CPCU, LUTCF, CIC, CSFP, CFS, CPIA, AAI-M, PLCS Published
-
With Mortgage Rates Falling, Here's How Much You Could Save
As mortgage rates fall, you could potentially save thousands over the life of your loan.
By Erin Bendig Published
-
How Retirement Plans Are Divided in Divorce
Here's what you need to know about QDROs (qualified domestic relations orders), which determine how assets in a soon-to-be ex-spouse's retirement plans or pension will be distributed.
By Andrew Hatherley, CDFA®, CRPC® Published
-
Coverdell Education Savings Accounts: A Deep Dive
While there are some limitations on income and contributions, as well as other restrictions, a Coverdell can be a bit more flexible than a 529 plan.
By Denise McClain, JD, CPA Published
-
Five Tax Strategies to Preserve Your Retirement Savings
From Roths to HSAs to creative Social Security timing, retirees have many options to minimize their taxes. You might be surprised what a difference it can make.
By Steve Reder Published
-
Which States Have the Biggest Tippers?
Who tips the best and worst on takeout apps? State-by-state, Delaware and West Virginia residents are the most generous while those in California and Washington State tend to hoard their cash.
By Kathryn Pomroy Published
-
Want to Produce a Podcast? Tips to Get It Done Right
It takes prep work, research and knowing where you're going. Plus, don't miss the most important recommendation from this expert podcast producer.
By H. Dennis Beaver, Esq. Published