What To Do After a Data Breach?

What To Do After a Data Breach?

Written by Peter McEwan
Last updated on May 3, 2021

Uh-oh… it’s finally happened. The dreaded email, letter, or message has arrived to tell you that a company or organization you trusted with your details has suffered a major hack. Thousands of people’s private details have been exposed – and yours is one of them. What do you do about this? And how can you stop your data from being leaked again?

The bad news is that breaches happen all the time. Top identity theft protection services and other safeguards will help minimize the fallout when your data is breached, but ultimately, each website or company that you share your data with is responsible for keeping it safe. That’s a lot of links in the chain – and a lot of opportunities for a breach. At some point, it happens to everyone. (Take a look for yourself by entering your email address at Have I Been Pwned. The results may alarm you!)

Steps to Take Following a Data Breach

The good news is that there are steps you can take to mitigate the damage and protect yourself from fraud, theft, and a ruined credit rating. Here’s exactly what to do after a data breach notification pings into your inbox, and what to do if your data has been breached.

#1: Make Sure the Breach Notification is Real

Before you launch into action, make sure that the notification is genuine. Internet scammers sometimes send out phishing emails claiming that your data has been breached to trick you into actually sharing sensitive information or downloading malware. Some enterprising cybercriminals have been known to send out fake emails or messages right after a real breach, in the hope that you’ll panic and respond without pausing to check.

If anything about the notification strikes you as suspicious – just to be certain – go to the company’s website and contact them through the correct channels to check the situation. Don’t click on any links or phone numbers in the body of the email or reply to the message itself. Definitely don’t fill in any forms or submit any personal or sensitive information.

If the breach is real, the organization responsible will be able to give you more information about what data was exposed (more on that in a moment), provide advice, and potentially support, such as credit file monitoring and identity theft protection.

#2: Change ALL of Your Passwords

Next, you need to change your passwords for this site and any others that you use the same or a similar password for. After a data breach, stolen account information is often posted on hacker forums or used to try and access other, potentially more sensitive information. If you use the same password for everything, you may have just given a criminal the master key to your life.

Make sure you set really strong passwords that can’t be guessed easily. That means more than 10 characters, incorporating numbers, symbols, and uppercase letters to mix things up. Avoid dictionary words and details from your life that people might be able to guess, for example, your partner’s birthday or your mother’s maiden name. It’s important to note, too, that even if the company that suffered the breach tells you that your password was encrypted, hackers have algorithms that can crack relatively simple passwords. If yours includes dictionary words or is under 10 characters, consider it crackable.

Also, now that you have the chance to strengthen your passwords, don’t go and make them all the same again! You may also want to set up two-factor authentication so that even if a hacker gets hold of your password, they can’t access anything without a unique code sent to your phone.

Read our tips to to create the perfect password

#3: Find Out Exactly What Kind of Data Was Stolen

Figuring out what to do after your data has been breached depends on what kind of data was exposed. Make sure you get a clear explanation from the company or organization that suffered the breach so that you know exactly what you’re dealing with.

Here are some of the main types of data (other than passwords) that are frequently targeted and the ways they put you at risk:

Personal Information

If the worst type of data revealed in the breach is your name, address, and/or email address, it’s annoying but not the worst thing in the world. This kind of information is pretty easy to get hold of anyway and there’s not much a cybercriminal can do with it apart from inundating you with spam. However, if your date of birth is exposed alongside this information, this can be a bigger issue, as this is a detail used for identification.

Financial Data

If hackers manage to get hold of your card details, though distressing (and inconvenient) enough, your account will, in most cases, still be protected/insured against fraudulent payments and you should be able to get the money back. However, if your bank details or card numbers are stolen alongside other personally-identifying information like your address, date of birth, or social security number, you’re really in trouble. This means someone can potentially take out loans, credit cards, and so on in your name.

Learn how it is important to use a VPN for online banking

Personally Identifiable Information (PII)

This is the holy grail for identity thieves. With your SSN (or equivalent), a criminal can open credit cards, apply for jobs, take out medical insurance, apply for loans, establish a residence and claim your tax rebates – all in your name, and never pay a dime. You probably won’t know about any of this until the creditors come looking for you, at which point it’s on you to prove you didn’t do any of this. What’s more, changing your SSN is a difficult, lengthy process, even if your application isn’t refused.

Healthcare Data

This might include your medicare or insurance policy numbers, as well as your treatment and prescription history.

Aside from the intrusion on your privacy, (and the potential impact it could have if sensitive medical information was exposed to employers or insurers), access to this kind of information opens up the door to medical identity theft. This is when a person poses as you to access treatment or gain prescriptions that are then billed to you or your insurance company. That’s why it’s particularly dangerous if cybercriminals get hold of this medical information in conjunction with your billing or payment information, date of birth, and/or SSN.

#4: Contact the Relevant Bodies

Once you know what’s been leaked, you can start contacting your banks, financial services, credit bureaus, and any other relevant organizations to alert them of the risk.

If your financial information has been breached, you should cancel and replace your payment cards immediately to prevent credit card fraud. If any money has been charged to a credit card fraudulently, you should be able to get this back quickly. Many debit cards and checking accounts will do so too. But this depends on your bank and where you are in the world. You can also freeze your credit in any accounts that you’re worried about.

Obtain a credit report as soon as possible to make sure nothing has been taken out in your name. U.S. residents can get one for free from AnnualCreditReport.com. Even if you don’t see anything worrying (yet), contact the major credit bureaus to tell them what has happened and ask for their advice.

If your SSN has been compromised, it’s wise to file your taxes as early as possible, just in case someone else is trying to use your details fraudulently. If your driver’s license number was leaked, alert the DMV. They should be able to flag the number in case anyone else tries to use it.

If medical information has gone astray, check in with your doctor’s office to see if there have been any recent appointments booked under your name, and ask for copies of your medical records. Request a list of all third parties your health data has been shared with from your healthcare providers. If relevant to you, alert Medicare, your Healthcare Savings Account (HSA), Flexible Spending Account (FSA), or equivalents.

#5: Install Protective Technology to Prevent Future Breaches

Now that you’ve had a scare, start thinking about how to protect yourself going forward. Make sure you have robust antivirus software installed on all your devices to ward off malware and flag up targeted phishing attempts. Many top systems incorporate payment protection and other privacy-boosting tools to protect your sensitive data in the first place.

You may also want to use a password management tool to auto-generate impossible-to-guess passwords for each of your online accounts.

#6: Sign Up for a Credit Monitoring or Identity Protection Service

There is also a range of excellent services out there to help you keep tabs on your sensitive personal information and financial accounts. These range from credit management apps, which help you track all the payments you’re making on all your cards, through to dedicated identity protection and credit monitoring services. Identity protection monitors your accounts with the credit bureaus, looking out for stolen credit cards and attempted identity theft.

If you have recently lost data in a breach, the company may offer you free identity theft protection for a few years. By all means, take them up on this, but make sure you pay close attention to what their chosen service is looking out for. If it isn’t monitoring the type of data you’ve had leaked, it won’t help much. In either case, it’s worth doing some of your own research. To get you started, take a look at our guide to the best identity theft protection services in 2020.

We recommend: Identity Guard 

Our top choice on the market for identity theft protection is Identity Guard, which monitors usage of your SSN, bank account numbers, and credit cards. It also offers safe browsing features, an anti-phishing app, address monitoring, credit monitoring, a risk management report, and a social insight report. Even better, you’re actually insured for up to a million dollars if you do become a victim of identity theft. This covers legal fees, lost wages, travel expenses, and childcare.

Plans start at $7.20/month.

The Bottom Line

Even if nothing serious has happened yet, that doesn’t mean you’re in the clear. Sometimes it takes days, weeks, months, or even years to suffer the full effects of a breach. Knowing what to do after a data breach notification means you can step in to protect yourself against fraud, theft, unauthorized account access, and more. Take action now – and stay alert. You never know when criminals might try to capitalize on your stolen details.

Article comments