What to Do When You Receive a Data Breach Notice

1. What is a data breach?
2. What should you do if your personal information has been exposed by a data breach?
3. Breach involving your credit or debit card information
4. Breach involving your existing financial accounts
5. Breach involving your driver’s license or other government identification documents
6. Breach involving your Social Security number (SSN)
7. Breach exposing your password

1. What is a data breach?

A data breach is a security violation in which sensitive, protected or confidential data is copied, transmitted, viewed, stolen or used by an unauthorized individual.  Some examples of data breaches include:

  • Hacking (unauthorized intrusion into a computer or a network)
  • Credit or debit card numbers are stolen online or at a point-of-sale terminal
  • Documents or devices containing sensitive information are lost, discarded or stolen
  • Sensitive information is posted publicly on a website, mishandled or sent to the wrong party
  • For many more examples, see PRC's Chronology of Data Breaches

It's important to understand that a data breach does not necessarily mean that you will become a victim of identity theft.  If you are a victim of a data breach, you are at greater risk of identity theft, but until your information is misused, you are not considered an identity theft victim.

  • An identity theft victim is a person whose personal information not only has been exposed, but also has been misused.
  •  If you have already become a victim of identity theft, please see our Consumer Guide Identity Theft: What to Do if It Happens to You.

2. What should you do if your personal information has been exposed by a data breach?

Your first step is to figure out what kind of breach has occurred.  This will help you determine the action that you need to take.  Four major kinds of data breaches are:

  • A breach involving your credit or debit card information
  • A breach involving another existing financial account
  • A breach involving your driver's license number or another government-issued ID document
  • A breach involving your Social Security number
  • A breach exposing your password

The sections below describe the action that you should take to protect yourself for each of the above four types of breaches.

3. Breach involving your credit or debit card information

Breaches of your credit or debit card information may occur in retail stores at point-of-sale (POS) terminals or as part of an online transaction.  These breaches can be massive in size, sometimes affecting millions of cardholders. 

You might become aware of a breach affecting your credit or debit card because your financial institution has reissued your payment card with a new account number.  However, many financial institutions do not automatically reissue cards that may have been compromised. 

If you become aware (through news media coverage or otherwise) that there has been a payment card breach at a retailer at which you have shopped, what should you do?

First, determine whether you have used a debit or credit card at the merchant. There is far greater risk to you from a compromised debit card.  If your debit card is used fraudulently, funds can quickly be withdrawn from your bank account without your knowledge.  Your bank account can be emptied.  On the other hand, if you used a credit card, you will have an opportunity to dispute any fraudulent transactions before you have to pay the bill, so you will still retain access to the funds in your bank account. 

After you determine the type of payment card that you may have used, take these steps to reduce the risk of fraud:

  • Ask your card issuer to cancel your current card and reissue the card with a new account number.  They are not required to do so, and there may be a charge for the replacement card.  However, this is especially important if you have used a debit card at the breached entity.
  • Carefully monitor all your account transactions.
  • If your card issuer offers it, set up text or email alerts of any activity. 
  • Make sure that your account statements arrive in your mailbox at their normal time.  Consider setting up access to online statements, with email notification from the card issuer when your statement is ready for viewing.
  • If you become aware of any fraudulent transactions, immediately call your financial institution and follow up by formally disputing the transaction in writing.
  • Be suspicious of any email or phone call that you might receive about the breach that requests personal information.

4.  Breach involving your existing financial accounts

If the breach involves an existing financial account, such as a checking, savings, money market, or brokerage account, here are some steps that you can take to reduce the risk of fraudulent activity:

  • Ask your financial institution to cancel your account and issue a new account number. 
  • Carefully monitor all your account transactions online.
  • If your financial institution offers it, set up text or email alerts of any activity. 
  • Make sure that your account statements arrive in your mailbox at their normal time.  Consider setting up access to online statements, with email notification from the card issuer when your statement is ready for viewing.
  • If you become aware of any fraudulent transactions, immediately call your financial institution and follow up by formally disputing the transaction in writing.
  • Be suspicious of any email or phone call that you might receive about the breach that requests personal information.

5.  Breach involving your driver’s license or other government identification documents

If you are notified of a breach involving your driver's license or another government identification document (such as a passport or non-driver ID), contact the agency that issued the document and find out what it recommends in such situations. You might be instructed to cancel the document and obtain a replacement. Or the agency might instead "flag" your file to help prevent fraud.

6.  Breach involving your Social Security number (SSN)

If the breach includes your Social Security number (SSN), the information could be used to open new accounts in your name. This is called new account fraud. You will not immediately know about these new accounts because criminals usually use an address other than your own for the account.   

That is why it is so important to immediately place a fraud alert on your credit reports when you learn that your SSN has been compromised, and then to monitor your credit reports on an ongoing basis. A security freeze provides even more protection than a fraud alert.  In fact, a security freeze can provide the greatest protection from identity theft. Here are the steps you should take:

  • Request a fraud alert. Immediately contact the fraud department of any one of the three credit reporting agencies -- Experian, Equifax, or TransUnion. When you request a fraud alert from one bureau, it will notify the other two for you. Your credit file will be flagged with a statement that says you may be a victim of fraud and that creditors should take additional steps to verify your identity before extending credit.  Your initial fraud alert lasts for one year.  The fraud alert may be renewed. 

Equifax fraud alert
Experian fraud alert
TransUnion fraud alert 

  • Order your credit reports. When you establish the fraud alert, you will receive a follow-up letter from each credit bureau that explains how you can order a free copy of your credit report.  When you receive your credit reports, look for signs of fraud such as credit accounts that are not yours. Check if there are numerous credit inquiries on your credit report. If a thief is attempting to open up several accounts, an inquiry will be listed on your credit report for each of those attempts. Also, check that your SSN, address(es), phone number(s), and employment information are correct.
  • Continue to monitor your credit reports. Every consumer can receive one free credit report every 12 months from each of the three national credit bureaus. This is over and above the free credit report that you can request upon establishing a fraud alert.
  • Consider a security (credit) freeze. A security or credit freeze provides the greatest protection from identity theft. Consumers can place a security freeze on their credit files at the credit reporting agencies (Equifax, Experian, and TransUnion) at no cost.  With a freeze in place, you can prevent new creditors (such as a credit card company or lender) from seeing your credit reports.   The freeze prevents fraudulent new accounts because new creditors are not able to check your credit report.  Requests for access to your credit file will be denied.  Most creditors will not issue new credit if they cannot see the consumer’s credit report. You must separately request a freeze from each of the three major credit reporting agencies in order to be fully effective. The websites of each of the credit reporting agencies provide instructions for placing a security freeze:

    If you want to apply for new credit, you can remove a security freeze temporarily.  You can also permanently remove a freeze.

    A security freeze does not apply to credit checks for:

    • Employment or background screening purposes
    • Tenant screening
    • Insurance underwriting
    • Identity verification purposes

    Security freezes will not impact your credit score or your relationship with your existing creditors.  Any existing creditor can continue to see your credit reports in order to periodically review your account.

    A security freeze cannot stop misuse of your existing bank or credit accounts. You still must check your accounts for any errors or fraudulent activity.

    Security freezes should not be confused with credit locks.  Credit bureaus often encourage consumers to use a credit lock rather than a security freeze. While a security freeze provides protection that is governed by law, locks are governed by your contractual agreement for each credit bureau. Having a contractual agreement is not as good as having protections under law.  For example, the contract may include provisions that you may be better off not agreeing to, such as an arbitration agreement.

7.  Breach exposing your password

If your password is exposed by a data breach:

  • Change it immediately.  Do not use a password that is similar to your old password.
  • If you have used the same or a similar password elsewhere, change it immediately.
  • Be suspicious of any email that you may receive asking you for personal information or containing any links.  Independently verify the authenticity of the email.