Since Privacy Rights Clearinghouse (PRC) began tracking data breaches in 2005, our records show that more than 563 million records have been reported leaked. This number is significantly lower than the actual figure, however. In many cases, the number of exposed records is either not known or is not reported to the news media or to state and federal reporting authorities.
In most states, businesses are required by law to notify individuals when a data breach compromises personal information that is likely to lead to financial identity theft. Even when it is not required by law, many companies will notify customers as a courtesy. This means there is a very good chance you will receive a breach notification at some point.
In our latest short film, Data Breaches: Know Your Rights, we explore how a typical consumer may respond to such a notification. The film is the fifth in a six-part YouTube series on important privacy topics.
In the 4-minute film, Mr. Jackson is alarmed and confused when he receives a letter from his bank notifying him that an employee's laptop was stolen. The laptop contained customer data including his Social Security number and other personally identifiable information. His adult son, Luke, turns to PRC's website to find out what to do. Watch the video to see what happens.
What to Do if a Data Spill Includes Your Information
Above all, don't panic. A data leak does not necessarily mean that you will become a victim of identity theft.
The first step is figuring out what type of information was exposed:
- Social Security numbers
– In breaches where Social Security numbers are exposed, new account
fraud is possible. New account fraud occurs when a criminal uses
your Social Security number to open a line of credit and goes on a
To protect yourself from new account fraud, we recommend you order your credit report and request a fraud alert immediately, monitor your credit report regularly thereafter and consider a security freeze. A security freeze provides the greatest protection from identity theft, but may not be the most convenient choice for everyone.
- Credit and debit card numbers –
With your credit or debit card number, a thief
could commit existing account fraud. Existing account fraud occurs
when a criminal uses your financial account information to rack up debt in
If you are at risk of existing account fraud, check your statement online on a daily basis, and look for transactions you did not make. In some cases, the breached financial institution will cancel your card on its own and issue you a new one. If the exposed data includes debit card numbers, you should immediately request that the card be cancelled.
- Names and email addresses –
Even though this information may seem harmless, if it is leaked you may become
the target of spear phishing. Spear phishing is when a
criminal sends you an email that sounds and looks like it’s from a company
you have an existing relationship with. For example, a spear-phishing message
might address you by name. A
message may look something like this: "Hello Ms. Anderson, Because of
the recent hacking incident affecting some Acme customers, we are asking
you to visit this website [URL provided] and update your security
settings.” The email will try to convince you to “bite” on the bait and go
to that website, and then divulge other information like your Social
Security number and credit card number. Identity theft could then result.
To protect yourself from spear-phishing attacks, never enter your personal information into a website after following a link from an email. Always go to the company website on your own or call the company to confirm the email’s legitimacy.
Often, the breached company will offer the affected customers free credit monitoring service. We recommend that you accept this offer, but be sure to mark the date the coverage is scheduled to end. Call the company and confirm that you no longer want the service, if that indeed is your decision upon the expiration of the free service. Otherwise, you could end up being charged for the service after the free subscription period has ended. We explain low-cost alternatives to monitoring services in PRC’s Fact Sheet 33: Identity Theft Monitoring Services.
For a more in-depth discussion on unintentional information disclosures and how to respond, read PRC’s Fact Sheet 17b: How to Deal with a Security Breach.
- PRC's Video: Data Breaches: Know Your Rights - https://www.youtube.com/watch?v=xtB8GU3C7Wk
- PRC's Fact Sheet 17b: How to Deal with a Security Breach - https://www.privacyrights.org/fs/fs17b-SecurityBreach.htm
- PRC's Chronology of Data Breaches - https://www.privacyrights.org/data-breach
- PRC's FAQ About the Chronology of Data Breaches - https://www.privacyrights.org/data-breach-FAQ
- Consumers Union's Guide to Security Freeze Protection - http://www.consumersunion.org/campaigns/learn_more/003484indiv.html
- Federal Trade Commission's microsite on Free Annual Credit Reports - http://www.ftc.gov/bcp/edu/microsites/freereports/index.shtml
- PRC's Fact Sheet 33: Identity Theft Monitoring Services - http://www.privacyrights.org/fs/fs33-CreditMonitoring.htm