Call now for cybersecurity help: 888-646-1616
Holly Sagstetter

What to Do After a Data Breach: 4 Important Steps

December 9, 2020

What do you do with data breach notifications? You’ve most likely received a few notices from big and small companies over the years. They apologize, ask you to change your password and explain how they’re going to prevent data breaches in the future. 

Unfortunately, it’s quite common for companies to learn about data breaches weeks, months or years after the fact. So what should you actually do with this information? 

This article will dive into what you should do when you receive these data breach notifications. And here’s a hint - you should do more than just archive the email. Data breaches may seem common, but that doesn’t mean you shouldn’t take steps to protect your online identity. 

#1 - Confirm data breach

Let’s say you get an email from an online retailer. They tell you they’ve experienced a data breach and to change your password. The first thing you should do is confirm the data breach. Do not click a link in the email notification. Go to the retailer’s website or Google ‘company name and data breach’. You can also verify your information was included in a breach by using the site Have I Been Pwned?

You want to be careful with clicking links for two reasons:

  1. There may have been an actual data breach involving the aforementioned online retailer. Scammers may pose as the retailer, hoping to gather usernames and passwords. 
  2. OR there was no data breach at all, but scammers try just about anything to gather usernames, passwords, anything. 

If you need help with spotting phishing messages, check out our favorite phishing tip!

#2 - Find out what information was stolen

When confirming the data breach, you also want to find out what information was stolen. This can range from your name and address to credit card numbers and Social Security numbers. The seriousness of the data breach will depend on what information the hackers took (or might have taken, sometimes it’s not always possible to know for sure). 

We like how Tom’s Guide breaks down sensitive information into three categories:

a) Least sensitive information: names, street addresses

Having your name and address stolen, while irritating, generally isn’t harmful. Although Ashley Madison users probably didn’t want their names released after the infamous 2015 hack... 

b) More sensitive information: email addresses, dates of birth, credit/debit card numbers

This is where things can get annoying. You may end up with an increase in spam messages because of your stolen email address. And although you won’t always be liable for charges on your stolen credit card, it’s still a hassle for you. 

c) Most sensitive information: Social Security numbers, financial account numbers and payment card security codes (the three or four-digit number on payment cards)

Tom’s Guide explains (and we agree) that the worst piece of information that can be stolen is your Social Security number. Always be extra careful with who has that information. Here’s what to do if your Social Security number is stolen

#3 - Change your password(s)

It’s best to err on the side of caution and change the affected password. Sometimes data breach notifications will highlight the fact that passwords are encrypted, hashed or salted, and that may sound like you’re safe — but instead of trying to understand how your password might have been protected, it’s probably easier to just change it!

Another reason to change the affected password is in case you reuse passwords on other sites (which you shouldn’t do, by the way!). If hackers figure out you used Password123456 on one website, they may use a technique called ‘credential stuffing’ and find other sites where you use that same password. Most people have accounts for Facebook, Amazon, PayPal, etc - so they might try your email address and stolen password on those sites. 

Password Tips

#1 - Use Multi-Factor Authentication (MFA) wherever you can. This makes it that much harder for hackers to gain access since they’d also need your mobile device.
#2 - Use a Password Manager like 1Password or LastPass. Managers create unique, complex passwords and make it easy for you to log into your accounts.
#3 - Do not reuse passwords or use similar passwords (Password1, Password2, Password3)
#4 - Use 12+ characters. More characters = harder for hackers to figure out.
#5 - Don’t include your name, birthday, or references to other personal details.
#6 - Use a pass phrase of random words (example: correcthorsebatterystaple)

#4 - Contact bank or financial institution

If a credit/debit card (or any payment card) was stolen, you should contact the bank or card issuer immediately. Banks will normally cancel the card and issue you a new one. 

Depending on the type of card, you may be on the hook for fraudulent charges based on when you notify the card issuer (up to $500 usually). That’s why it’s important to notify the card issuer as soon as possible. 

You can also place fraud alerts on your name with the credit-reporting bureaus. This means you’ll get notified when anyone tries to look up your credit. Creating these fraud alerts is free (US residents only): Equifax (1-888-766-0008), Experian (1-888-397-3742), Innovis (1-800-540-2505) and TransUnion (1-800-680-7289).

What to do if someone steals your identity

Identity fraud is serious and you need to treat it that way. Here’s what you should do:

  1. File a police report
  2. File a formal report of identity theft with the Federal Trade Commission (US only)
  3. Freeze your credit with the credit bureaus
  4. Document everything

Here’s a great article that details what to do if you’re a victim of identity theft: Identity Theft Victim? Here's 6 Things You Need to Do

Other data breach notification resources

NY Times: What to Do After Getting a Data Breach Notification

LifeLock: Your Data Breach Response Checklist

Tom’s Guide: What to Do After a Data Breach


Data breaches are going to happen. Attackers continue to find novel ways to access data, so it’s important to protect your information as much as possible. The best way to do this is by following our Password Tips (listed above) and taking action when you receive notices about data breaches. 

Leave a Reply

Your email address will not be published. Required fields are marked *

Do you think we might be a
good match?

We help over 100 of the best financial services, healthcare, and manufacturing companies across the U.S. with their cybersecurity.
Copyright 2023 Adelia Associates, LLC | All Rights Reserved