What do you do with data breach notifications? You’ve most likely received a few notices from big and small companies over the years. They apologize, ask you to change your password and explain how they’re going to prevent data breaches in the future.
Unfortunately, it’s quite common for companies to learn about data breaches weeks, months or years after the fact. So what should you actually do with this information?
This article will dive into what you should do when you receive these data breach notifications. And here’s a hint - you should do more than just archive the email. Data breaches may seem common, but that doesn’t mean you shouldn’t take steps to protect your online identity.
Let’s say you get an email from an online retailer. They tell you they’ve experienced a data breach and to change your password. The first thing you should do is confirm the data breach. Do not click a link in the email notification. Go to the retailer’s website or Google ‘company name and data breach’. You can also verify your information was included in a breach by using the site Have I Been Pwned?.
You want to be careful with clicking links for two reasons:
If you need help with spotting phishing messages, check out our favorite phishing tip!
When confirming the data breach, you also want to find out what information was stolen. This can range from your name and address to credit card numbers and Social Security numbers. The seriousness of the data breach will depend on what information the hackers took (or might have taken, sometimes it’s not always possible to know for sure).
We like how Tom’s Guide breaks down sensitive information into three categories:
a) Least sensitive information: names, street addresses
Having your name and address stolen, while irritating, generally isn’t harmful. Although Ashley Madison users probably didn’t want their names released after the infamous 2015 hack...
b) More sensitive information: email addresses, dates of birth, credit/debit card numbers
This is where things can get annoying. You may end up with an increase in spam messages because of your stolen email address. And although you won’t always be liable for charges on your stolen credit card, it’s still a hassle for you.
c) Most sensitive information: Social Security numbers, financial account numbers and payment card security codes (the three or four-digit number on payment cards)
Tom’s Guide explains (and we agree) that the worst piece of information that can be stolen is your Social Security number. Always be extra careful with who has that information. Here’s what to do if your Social Security number is stolen.
It’s best to err on the side of caution and change the affected password. Sometimes data breach notifications will highlight the fact that passwords are encrypted, hashed or salted, and that may sound like you’re safe — but instead of trying to understand how your password might have been protected, it’s probably easier to just change it!
Another reason to change the affected password is in case you reuse passwords on other sites (which you shouldn’t do, by the way!). If hackers figure out you used Password123456 on one website, they may use a technique called ‘credential stuffing’ and find other sites where you use that same password. Most people have accounts for Facebook, Amazon, PayPal, etc - so they might try your email address and stolen password on those sites.
Password Tips#1 - Use Multi-Factor Authentication (MFA) wherever you can. This makes it that much harder for hackers to gain access since they’d also need your mobile device. |
If a credit/debit card (or any payment card) was stolen, you should contact the bank or card issuer immediately. Banks will normally cancel the card and issue you a new one.
Depending on the type of card, you may be on the hook for fraudulent charges based on when you notify the card issuer (up to $500 usually). That’s why it’s important to notify the card issuer as soon as possible.
You can also place fraud alerts on your name with the credit-reporting bureaus. This means you’ll get notified when anyone tries to look up your credit. Creating these fraud alerts is free (US residents only): Equifax (1-888-766-0008), Experian (1-888-397-3742), Innovis (1-800-540-2505) and TransUnion (1-800-680-7289).
Identity fraud is serious and you need to treat it that way. Here’s what you should do:
Here’s a great article that details what to do if you’re a victim of identity theft: Identity Theft Victim? Here's 6 Things You Need to Do
NY Times: What to Do After Getting a Data Breach Notification
LifeLock: Your Data Breach Response Checklist
Tom’s Guide: What to Do After a Data Breach
Data breaches are going to happen. Attackers continue to find novel ways to access data, so it’s important to protect your information as much as possible. The best way to do this is by following our Password Tips (listed above) and taking action when you receive notices about data breaches.