What to Do When You Receive a Data Breach Notice

1. What is a data breach?
2. What should you do if your personal information has been exposed by a data breach?
3. Breach involving your credit or debit card information
4. Breach involving your existing financial accounts
5. Breach involving your driver’s license or other government identification documents
6. Breach involving your Social Security number (SSN)
7. Breach exposing your password

1. What is a data breach?

A data breach is a security violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an unauthorized individual.  Some examples of data breaches include:

  • Hacking (unauthorized intrusion into a computer or a network)
  • Credit or debit card numbers are stolen online or at a point-of-sale terminal
  • Documents or devices containing sensitive information are lost, discarded or stolen
  • Sensitive information is posted publicly on a website, mishandled or sent to the wrong party
  • For many more examples, see PRC's Chronology of Data Breaches

It's important to understand that a data breach does not necessarily mean that you will become a victim of identity theft.  If you are a victim of a data breach, you are at greater risk of identity theft, but until your information is misused, you are not considered an identity theft victim.

  • An identity theft victim is a person whose personal information not only has been exposed, but also has been misused.
  •  If you have already become a victim of identity theft, please see our Consumer Guide Identity Theft: What to Do if It Happens to You.

2. What should you do if your personal information has been exposed by a data breach?

Your first step is to figure out what kind of breach has occurred.  This will help you determine the action that you need to take.  Four major kinds of data breaches are:

  • A breach involving your credit or debit card information
  • A breach involving another existing financial account
  • A breach involving your driver's license number or another government-issued ID document
  • A breach involving your Social Security number
  • A breach exposing your password

The sections below describe the action that you should take to protect yourself for each of the above four types of breaches.

3. Breach involving your credit or debit card information

Breaches of your credit or debit card information may occur in retail stores at point-of-sale (POS) terminals or as part of an online transaction.  These breaches can be massive in size, sometimes affecting millions of cardholders. 

You might become aware of a breach affecting your credit or debit card because your financial institution has reissued your payment card with a new account number.  However, many financial institutions do not automatically reissue cards that may have been compromised. 

If you become aware (through news media coverage or otherwise) that there has been a payment card breach at a retailer at which you have shopped, what should you do?

First, determine whether you have used a debit or credit card at the merchant. There is far greater risk to you from a compromised debit card.  If your debit card is used fraudulently, funds can quickly be withdrawn from your bank account without your knowledge.  Your bank account can be emptied.  On the other hand, if you used a credit card, you will have an opportunity to dispute any fraudulent transactions before you have to pay the bill, so you will still retain access to the funds in your bank account. 

After you determine the type of payment card that you may have used, take these steps to reduce the risk of fraud:

  • Ask your card issuer to cancel your current card and reissue the card with a new account number.  They are not required to do so, and there may be a charge for the replacement card.  However, this is especially important if you have used a debit card at the breached entity.
  • Carefully monitor all your account transactions.
  • If your card issuer offers it, set up text or email alerts of any activity. 
  • Make sure that your account statements arrive in your mailbox at their normal time.  Consider setting up access to online statements, with email notification from the card issuer when your statement is ready for viewing.
  • If you become aware of any fraudulent transactions, immediately call your financial institution and follow up by formally disputing the transaction in writing.
  • Be suspicious of any email or phone call that you might receive about the breach that requests personal information.

4.  Breach involving your existing financial accounts

If the breach involves an existing financial account, such as a checking, savings, money market, or brokerage account, here are some steps that you can take to reduce the risk of fraudulent activity:

  • Ask your financial institution to cancel your account and issue a new account number. 
  • Carefully monitor all your account transactions online.
  • If your financial institution offers it, set up text or email alerts of any activity. 
  • Make sure that your account statements arrive in your mailbox at their normal time.  Consider setting up access to online statements, with email notification from the card issuer when your statement is ready for viewing.
  • If you become aware of any fraudulent transactions, immediately call your financial institution and follow up by formally disputing the transaction in writing.
  • Be suspicious of any email or phone call that you might receive about the breach that requests personal information.

5.  Breach involving your driver’s license or other government identification documents

If you are notified of a breach involving your driver's license or another government identification document (such as a passport or non-driver ID), contact the agency that issued the document and find out what it recommends in such situations. You might be instructed to cancel the document and obtain a replacement. Or the agency might instead "flag" your file to help prevent fraud.

6.  Breach involving your Social Security number (SSN)

If the breach includes your Social Security number (SSN), the information could be used to open new accounts in your name. This is called new account fraud. You will not immediately know about these new accounts because criminals usually use an address other than your own for the account.   

That is why it is so important to immediately place a fraud alert on your credit reports when you learn that your SSN has been compromised, and then to monitor your credit reports on an ongoing basis. A security freeze provides even more protection than a fraud alert.  In fact, a security freeze can provide the greatest protection from identity theft. Here are the steps you should take:

  • Request a fraud alert. Immediately contact the fraud department of any one of the three credit reporting agencies -- Experian, Equifax, or TransUnion. When you request a fraud alert from one bureau, it will notify the other two for you. Your credit file will be flagged with a statement that says you may be a victim of fraud and that creditors should take additional steps to verify your identity before extending credit.  Your initial fraud alert lasts for 90 days.  The fraud alert may be renewed indefinitely for another 90 days. 

Equifax fraud alert
Experian fraud alert
TransUnion fraud alert 

  • Order your credit reports. When you establish the fraud alert, you will receive a follow-up letter from each credit bureau that explains how you can order a free copy of your credit report.  When you receive your credit reports, look for signs of fraud such as credit accounts that are not yours. Check if there are numerous credit inquiries on your credit report. If a thief is attempting to open up several accounts, an inquiry will be listed on your credit report for each of those attempts. Also, check that your SSN, address(es), phone number(s), and employment information are correct.
  • Continue to monitor your credit reports. Every consumer can receive one free credit report every 12 months from each of the three national credit bureaus. This is over and above the free credit report that you can request upon establishing a fraud alert.
  • Consider a security (credit) freeze. A security or credit freeze provides the greatest protection from identity theft.  It is stronger than a fraud alert because it prevents anyone from accessing your credit file until and unless you authorize the credit bureaus to release your report.  Be aware that this might be inconvenient if you will be applying for new credit, renting an apartment, or seeking employment involving a background check, since you will have to lift the freeze on your credit file for these situations. There may be a small fee to place and/or lift the freeze. The three credit bureaus -- Equifax, Experian, and TransUnion -- offer security freezes nationwide:
    Equifax
    Experian
    TransUnion

Security freezes should not be confused with credit locks.  Credit bureaus encourage consumers to use a credit lock rather than a security freeze. While a security freeze provides protection that is governed by law, locks are governed by your contractual agreement for each credit bureau. Having a contractual agreement is not as good as having protections under law.  For example, the contract may include provisions that you may be better off not agreeing to, such as an arbitration agreement.

7.  Breach exposing your password

If your password is exposed by a data breach:

  • Change it immediately.  Do not use a password that is similar to your old password.
  • If you have used the same or a similar password elsewhere, change it immediately.
  • Be suspicious of any email that you may receive asking you for personal information or containing any links.  Independently verify the authenticity of the email.