Hate to break it to you, but if you haven’t been involved in a data breach already, you will be involved in a breach at some point in your lifetime. It is nearly impossible to exist in modern society without leaving a digital trace. Your personal data is stored in data centers around the world and in the Cloud. If you have a government ID, online bank account, public or private utilities account, receive a paycheck, go to school or visit medical clinics, your personal data is saved on a server somewhere. Once your data is stored on a server, the probability of that server being hacked is always greater than 0%. No amount of cybersecurity is 100% effective, even the US government which has billions of dollars to spend on sophisticated cybersecurity tools has been hacked multiple times.
So, what should you do once your data is exposed in a data breach?
Step 1: Get Details on the Data Breach and Assess Risk
Most companies send a letter notifying customers that their data was involved in a data breach. The letter normally indicates what pieces of information were exposed in the breach, like your email address, credit card number or social security number. If a company you do business with announces a data breach, but you do not receive a letter by mail, go to their corporate website then search for details on the breach. It is important that you understand which pieces of data were stolen.
If the data breach was limited to non-sensitive or publicly available data like your name or address, the risk for cybercrime from the breach is generally low. If highly sensitive data like your login credentials, email address, date of birth, government ID number or Social Security Number is involved, consider the level of risk for identity theft to be very high and act accordingly. The bad guys normally sell stolen information from a data breach on the dark web to other cybercriminals. Using the stolen data, cybercriminals may send phishing emails to your email address with the goal of stealing more data or infecting your computer with malware. They may also attempt to compromise your email accounts, reset passwords on bank accounts, hijack your mobile phone account or even apply for credit and loans in your name.
Step 2: Secure Your Online Accounts
The next step to take is to secure your sensitive online accounts. Immediately lock down bank accounts, email accounts and mobile phone accounts if you are at risk of identity theft. Hackers can compromise your accounts after the data breach if they have sufficient information about you. Change passwords on your critical online accounts. Create a strong password that is no less than 12 characters long, but longer is better especially on bank and email accounts. Read our article on How to Create a Strong Password.
Enable Multi-Factor Authentication on all sensitive accounts. It is strongly advised that you enable MFA using an authenticator app, passkey or security key, rather than use MFA with text messages or email. In fact, if you can avoid using MFA with SMS text messages during authentication, you should discontinue using that method or disable that option in your security settings. MFA using SMS text message is not a very secure method of authentication.
While you are updating your passwords, review your account security settings. Enable security alerts on your sensitive accounts if they are disabled. Turn on any security alert that notifies you of suspicious login activity or password reset attempts.
If the breached website used Security Questions to authenticate your identity, change your security questions on other websites. Security Questions are those quiz questions that websites use to validate your identity when you reset your password or make other changes on your account. They’re questions like “what was your high school mascot?”, or “who was your kindergarten teacher?”. People tend to use the same Security Questions across websites, so when one website is breached, the bad guys can use your stolen answers to reset your passwords on other websites.
Step 3: Secure Your Credit
Log into all three major credit reporting bureaus and place freezes on your credit files. Also make sure to protect your credit files at the credit reporting bureaus with strong passwords and multi-factor authentication. You don’t want the bad guys to log into your accounts then lift the credit freezes. If the breached company offers you free credit monitoring services, take them up on the offer and use it. Also pull your credit reports and review them for new activity periodically after the data breach.
Here are links to the credit reporting bureaus:
If hackers do steal your identity, immediately report the crime to law enforcement and visit https://www.identitytheft.gov. This government website provides detailed guidance on how to proceed in reporting and then recovering from identity theft. In some rare cases, you may even have to change your Social Security Number.
Step 4: Explore Dark Web Monitoring
Invest in a Dark Web monitoring service that continuously scans the internet and Dark Web for your personal data if your risk for identity theft is high. Dark Web monitoring services can alert you when your personal data is exposed. Do note that Dark Web monitoring services cannot forcefully remove your data from illegal websites, but they can identify sites that have your data then coordinate with law enforcement to go after cybercriminal websites. Read our article about Dark Web Monitoring Services.
Step 5: Stay Vigilant
Monitor your accounts carefully going forward. Also be mindful that you may become a target for social engineering attacks. Be extremely cautious if anyone calls you requesting sensitive information. It doesn’t matter what caller ID says, bad guys know how to fake caller ID and display someone else’s name and phone number. Refrain from clicking on links in unsolicited emails that you may receive, instead simply delete all suspicious email. Install antivirus software on your computers and keep your operating systems up-to-date by installing software updates as soon as they are released.