Getting notified that your data has been exposed in a cyberattack is harrowing. It’s natural to feel something akin to a home break-in, even though nothing was stolen from your physical space.
Unfortunately, once your data is stolen, it’s in criminal hands. It could end up being sold on the dark web as part of a data bundle. Criminals buy data bundles to create phishing scams and false identities, or commit health care and credit card fraud. Criminals could use your data immediately, or it could be part of a future scam.
Either way, your data is out there. The best thing you can do is step up your vigilance.
In a survey of 1,000 Americans by the data security platform Varonis, only 56% had checked to see if they were affected by a data breach. Even fewer (44%) knew what to do if their data was affected.
Fight the urge to give up or blame yourself after a breach. It’s not your fault. Here are low- to no-cost actions you can take to help yourself.
Companies must tell you if your data was part of a breach
If your personal data was exposed as part of a cyberattack on a company, they should notify you. Most states have laws requiring companies to inform customers if their data is exposed in a breach and provide free credit monitoring for at least a year.
Consider the 2024 Change Healthcare cyberattack. Millions may have had their sensitive health information leaked onto the dark web despite UnitedHealth paying a ransom to the hackers. The number of accounts that were exposed and the cost of the data leak are still unfolding as investigations continue.
What a data breach communication might look like
A company may offer you a single credit monitoring service or a suite of services, which can include:
-
Credit monitoring. This service monitors your credit reports from the three national credit reporting agencies: Experian, Equifax and TransUnion.
-
Identity monitoring services. These monitor internet and database sources, including criminal records, arrest records, bookings, court records, payday loans, bank accounts, checks, sex offenders, change of address requests and Social Security number traces.
-
Identity restoration services. An agency works with you to restore your identity.
-
Identity theft insurance. This covers identity theft that occurs during the coverage period. It may cover expenses incurred to restore your identity. Check your policy for coverage dates, exclusions and deductibles for specific events.
The type of services you’re offered may depend on your location and the severity of the exposure.
For example, you may only be offered credit monitoring if you were potentially affected but not confirmed as part of the breach. If your data was confirmed as exposed due to the breach, the company might offer you a comprehensive suite of services.
If you’re notified of a data breach
Use the credit monitoring services companies offer you. If you have identity theft protection, tell your service about the breach notification.
It’s good data hygiene to monitor your credit profile, regardless of a data exposure event. But it’s critical if you’re involved in a data breach. Monitor your credit card and health care statements, as well as your credit reports and tax return activity.
Watch for charges you did not make on your credit cards or services you did not receive on your explanation of benefits statements. If you see suspicious activity, contact the relevant institution immediately.
Reporting identity theft
Once your data is being used for unauthorized activities, you’re in the stages of full-blown identity theft. If you believe you are the victim of identity theft, report it. By the time you reach this stage, the damage has often been done. It can be overwhelming to handle alone, so it’s best to take minute and breathe.
Contact your local law enforcement authorities to file a police report. Even if they don’t investigate it, you can reference the police report number when filing credit card and other disputes.
You can do several things from there to protect yourself, like activating an alert on your credit report to prevent criminals from opening credit accounts in your name. The three main credit reporting bureaus are:
Equifax
888-378-4329
Experian
888-397-3742
TransUnion
800-916-8800
Fraud alerts and security freezes
A fraud alert or security freeze (or both) can help protect you from identity theft. Both are free, and you can activate them using the major credit reporting bureaus listed above. Learn the key differences below.
Fraud alerts
Placing a fraud alert on your credit reports tells potential creditors to verify your identity before opening new credit accounts in your name. Creditors should contact you directly or take other steps to verify your identity. According to the Federal Trade Commission (FTC), there are three types of fraud alerts:
-
An initial fraud alert lasts one year with the option to renew. It’s available to anyone who is a victim of fraud or thinks they might be.
-
An extended fraud alert lasts seven years. It’s available when you’re a confirmed victim of identity theft. It also removes you from credit card and insurance offers.
-
An active-duty alert lasts one year. It’s for military personnel on active duty. It also removes you from credit card and insurance offers for two years.
When a creditor runs your report, they’ll see the fraud alert. This tells them to take extra precautions to verify it’s you. Usually, they’ll contact you at the number you provided when you requested the fraud alert. Keep track of the contact information you provided on the fraud alert and update it if you change your information.
Security freezes
While a fraud alert adds an extra verification step, a “security freeze” or “credit freeze” locks down your credit file entirely. While your current accounts remain active, no new accounts can be opened in your name.
A security freeze remains in effect until you choose to lift it. Although it offers more secure protection, a credit freeze makes applying for credit, buying a house or renting an apartment inconvenient. You need to remember to lift the freeze first or the creditor will deny your application.
What to do if your identity has been stolen
Maybe you notice an unfamiliar charge on your credit card statement or you get a call about an overdue account that you never opened. Chances are good your identity has been stolen and the fraudster has opened several accounts in your name. Even if the fraud involves only one account, you’ll still need to check all of your accounts.
Reporting on your own
Go to the FTC’s IdentityTheft.gov site to report your identity theft. The site will guide you through the process and generate a personalized checklist to help you recover from identity theft. It can also generate forms and debt collection dispute letters that you can send to credit bureaus and collection agencies.
Identity theft insurance
If you have identity theft insurance as a stand-alone policy, as an add-on through your home or renters policy, or as part of a data breach exposure settlement, alert your insurance company. Identity theft insurance won’t reimburse you for money stolen, but it will help you with steps toward credit recovery. You won’t have to go through the FTC or file separate reports with each credit bureau and dispute the fraudulent activity. They’ll handle the dispute letters.
Minor children and credit reports
Your children don’t typically have a credit report unless you add them as authorized users on your credit card accounts or hold a joint account with them. Criminals can commit fraud using a child’s personal information and go undetected for years. You can request a credit report from the three major credit bureaus (Experian, TransUnion or Equifax). If you enroll in an identity protection service, they often offer family plans.
Credit monitoring and financial information resources
Make it a habit to monitor your personal information, whether you’re involved in a breach or not.
-
You can get free credit reports from AnnualCreditReport.com.
-
The Consumer Financial Protection Bureau (CFPB) offers free credit reports and scores. The CFPB is a government agency that ensures banks, lenders and other financial companies treat you fairly.
-
Use secure passwords, update your software and sign up for multifactor authentication. Visit Cybersecurity & Infrastructure Security Agency’s “Secure Our World” for tips on safeguarding your data.
It’s important to stay proactive after a data breach. Companies and the government provide mechanisms to safeguard victims from further exploitation.
Call your insurance agent if you’re interested in identity theft protection. You might be able to add it to your homeowners or renters policy for a small premium increase. Remember, you won’t be covered for a breach you’re already aware of. Call before an incident to save yourself a major headache.