When a company loses control of your private information, the impact can be far worse than just getting annoying emails. Hackers use stolen data to commit crimes, like opening new credit lines, committing tax refund fraud, and draining bank accounts. One person’s information can be reused for months or even years sometimes.
Losses reported in 2024 were up to $16.6 billion, an increase of 33% compared to the previous year.
If you’ve been the victim of a breach, here’s your plan of action.
1. Know your rights
State laws require companies to notify you after a breach, but the details vary regarding what they need to disclose and how fast. Some states also require breached companies to offer identity theft protection or other remediation. If you’ve received a vague notice, push for details and timelines. And in any case, contact a consumer protection attorney right away.
When you work with a lawyer, they’ll help you understand state requirements for breach notices and will pursue the issue if they’re not following the law. They’ll also help you file complaints with your state’s Attorney General and the FTC. And if you have a legal case, they’ll pursue justice on your behalf to get you compensated for your losses.
2. Confirm what was exposed
Once you talk to an attorney, and before you do anything else, identify exactly what was breached. Was it just your email address? Or was it a password too? Social Security number? Driver’s license? All of these things can be used to create new, fraudulent financial accounts in your name. Medical and insurance data can be exploited for benefits fraud.
Read the company’s breach notice to see what has been stolen so you can know for sure what the potential damage might be.
3. Sign up for breach notifications
Signing up for alerts from Have I Been Pwned is the best way to get notified if your email addresses or passwords have been involved in a data breach. In fact, the NIST guidelines specifically recommend consumers check their passwords against known breached datasets.
Don’t think that your online accounts are safe just because the site itself hasn’t been hacked. Since hackers know passwords get reused, they run automated login attempts with known email address and password combinations on other websites. For instance, hackers will use login credentials stolen in a Walmart website breach to attempt to log into 10,000 other online accounts just fishing for a match. If you happen to have an account with one of those 10,000 websites and your email and password matches, you’re in trouble.
This website will also let you search a company’s breach history so you can avoid using sites that have a history of being compromised.
4. Freeze your credit and add a fraud alert
Even if you aren’t sure what exactly was stolen, it’s a smart move to freeze your credit. This will stop criminals from opening new accounts in your name because it blocks lenders from pulling your file without your permission. It doesn’t cost a dime to put in place and won’t hurt your credit score. You can keep it in place as long as you want.
You’ll need to freeze your credit with all three main bureaus: Equifax, Experian, and TransUnion. If you need to apply for a line of credit, you can temporarily lift the freeze and put it back when you’re done.
Enacting a fraud alert will force extra identity checks for new credit for at least a year. If you don’t plan on applying for credit for a while this is ideal.
5. Lock down your accounts
Sometimes breaches end in total account takeovers, not just credit opened in your name. Fix the root cause by creating long and unique passwords for every account and set up multi-factor authentication (MFA) whenever possible.
Change all passwords for hacked accounts right away. And if a compromised account offers a secondary recovery email address, make sure it’s set to an email you control. That’s the first thing hackers change when they take over an account. If you skip this step, even locking down your account can backfire.
Act fast
When you’ve been the victim of a data breach, act fast. Confirm exactly what was leaked, freeze your credit, and lock down your accounts. Enable MFA, watch your money, and get an IRS identification PIN if you think your Social Security number might have been stolen. It may be a lot to manage at first, but it will lock in good habits that will make you a harder target moving forward.
