What to do after a data breach

Young woman with phone in rustic lodgeImage: Young woman with phone in rustic lodge

In a Nutshell

Oh no! You’ve been notified that your personal information may have been exposed in a public data breach. With cybercrime booming, it was probably a matter of time. Here’s what to do next.
Editorial Note: Intuit Credit Karma receives compensation from third-party advertisers, but that doesn’t affect our editors’ opinions. Our third-party advertisers don’t review, approve or endorse our editorial content. Information about financial products not offered on Credit Karma is collected independently. Our content is accurate to the best of our knowledge when posted.

A data breach occurs when private, personal information is stolen or illegally viewed. Computer-savvy thieves want as many identities as they can get their hands on to use your info for their benefit.

If your information has been hacked in a public data breach, you’re not alone. Here are some major data breaches that have made headlines:

  • The Home Depot breach, reported in 2014, affected more than 50 million cardholders
  • Retail giant Target had almost 40 million compromised accounts from its point-of-sale terminals in 2013
  • In 2013, Yahoo reported a breach whose scale was eventually acknowledged to affect 3 billion accounts
  • Equifax, which is one of the three major consumer credit bureaus, reported that 147.9 million U.S. consumers were affected by its 2017 data breach

So now the question is: What do you do if you get a notification saying that your personally identifiable information has possibly been exposed in a public data breach? Here are some pointers.



Read the notice you receive — in its entirety

Legislation has been enacted on a state-by-state basis requiring private or governmental organizations to notify affected consumers when a data breach occurs. The laws vary by state, so the requirements for what the notification says and when it must be sent vary.

Either way, it’s important for you to actually read what is sent to you. Your plan of action will depend on what type of information has been compromised

Protect your usernames and passwords

Your unique usernames and passwords are generally considered PII. Should you be notified that these may have been compromised during a breach, consider activating two-factor authentication if possible.

Change both your username and password as soon as you can — even if you don’t know which one may have been compromised. Remember, your account is only as safe as the strength of your password.

Review your bank and credit card accounts

With the convenience of online banking and mobile phone apps, reviewing bank statements and transactions has never been easier. If you suspect that a specific account has been compromised, you need to vigilantly review each and every transaction to make sure there are no unauthorized charges. If you do discover unauthorized charges to your account, immediately report the fraudulent activity to the bank, so as to not be held liable.

First, make sure to contact your financial institution and notify it of the situation. Depending on the severity of the breach and what accounts were compromised, it may be best to close the account or card and open a new one.

How long do I have to report unauthorized charges on my credit card or bank account?

Under the Fair Credit Billing Act, credit card companies can’t charge you more than $50 for unauthorized card purchases. When it comes to debit cards, ATM charges and bank transfers, there are various time limits to be aware of.

If you report the problem before any fraudulent charges are made, you can’t be charged anything. If you report within two business days after you find out about the loss or theft, your liability is limited to $50. If it’s more than two business days but less than 60 calendar days after you receive your statement, you’re on the hook for up to $500. After 60 calendar days, you may not get reimbursed at all.

Safeguard your Social Security number

A data breach exposing Social Security numbers can be extremely harmful to consumers. A compromised Social Security number can not only affect victims in the here and now, but can also affect them for years to come.

Check all of your credit reports. The Fair Credit Reporting Act requires that each of the three major consumer credit bureaus provide consumers a free copy of their credit report every 12 months. (Hint: Play your cards right and request a credit report from a different credit bureau every four months to better monitor your accounts throughout the year.) As you receive each credit report, thoroughly scrutinize each listed account. Pay particular attention to any new accounts opened or hard inquiries made within the time frame of the data breach you were informed about.

Even if your Social Security number is compromised, there are built-in protections for this situation. Consumers can request that a fraud alert or credit freeze be added to their credit files:

  • To request a fraud alert, only one of the three major credit bureaus (Equifax, Experian or TransUnion) needs to be notified. As soon as one bureau receives the alert, it is responsible for notifying the others that an alert needs to be placed. Here’s how to contact each major credit bureau.
  • When you institute a credit freeze, it restricts access to your credit report and prevents credit card issuers or other lenders from accessing your report.

Both fraud alerts and credit freezes are free to add to a credit file. Carefully explore each option to decide which works best for you.

One other thing to watch out for: If thieves steal your Social Security number, they can file a tax return in your name and potentially receive any refund you have due. Consider filing Form 14039 if you have reason to believe you’ve been a victim of tax fraud or if the IRS sends you a letter directing you to complete the form.

Sign up for a credit-monitoring service

Many companies victimized by a data breach will offer credit-monitoring services at no cost to those affected. Take advantage of this offer. Even when the services are not offered, it would be wise to sign up for a monitoring service, like the free credit-monitoring service offered by Credit Karma, which notifies you of important changes on your TransUnion or Equifax credit reports so you can check for suspicious activity.


Bottom line

A data breach doesn’t have to mean your personally identifiable information is gone forever. With some research and consideration, you can discover ample resources for the taking.

You should always take any notification of a data breach seriously, routinely monitor your accounts for unauthorized charges, and request a copy of your credit reports at least quarterly. You should also consider adding a fraud alert or credit freeze to your credit files, as well as use a credit-monitoring service from here on out.


About the author: Sarah Schaut is a Canadian living in sunny Florida. She’s an economic crimes detective at a city police department and an expert in credit, fraud and mortgages. Read more.