When companies that hold your personal information suffer security breaches, your data may end up in criminals' hands. Data breaches expose sensitive information—Social Security numbers, financial accounts, medical records, passwords—creating risks of identity theft and fraud that can last for years. Taking prompt action after a breach limits your exposure and helps you recover if your information is misused.
Understanding what to do when your data is compromised protects you from becoming a victim of the criminals who exploit stolen information.
Understanding Breach Notifications
When companies experience breaches affecting personal information, state laws require them to notify affected individuals. Notification letters describe what happened, what information was exposed, and what steps the company is taking.
Read breach notifications carefully—they specify exactly what data was compromised. Exposed email addresses present different risks than exposed Social Security numbers. Your response should match the type of information breached.
Some notifications offer free credit monitoring or identity protection services. Take advantage of these offers; they cost you nothing and provide useful protection.
Immediate Protective Steps
If passwords were exposed, change those passwords immediately on all accounts where you used them. If you reused the password elsewhere (which you shouldn't, but many people do), change it on those accounts too. Use strong, unique passwords for each account.
Enable two-factor authentication wherever available, especially for financial accounts and email. This adds protection even if passwords are compromised.
If financial information was exposed, monitor account statements closely for unauthorized transactions. Consider setting up transaction alerts that notify you of activity.
Protecting Against Identity Theft
For breaches exposing Social Security numbers, place a fraud alert on your credit reports. Contact any one of the three major credit bureaus (Equifax, Experian, TransUnion)—they'll notify the others. Fraud alerts last one year and require creditors to verify your identity before opening new accounts.
A credit freeze provides stronger protection. Freezing your credit prevents new accounts from being opened in your name entirely. You'll need to temporarily lift the freeze when you legitimately apply for credit, but it blocks criminals from using your identity.
Both fraud alerts and credit freezes are free. Freezes offer better protection; alerts are easier to manage. Consider freezing if your Social Security number was exposed.
Monitoring Your Credit
Review your credit reports from all three bureaus. You're entitled to free reports annually through AnnualCreditReport.com. After a breach, check more frequently if possible—many monitoring services provide this.
Look for accounts you didn't open, inquiries you didn't authorize, and addresses you don't recognize. These may indicate identity thieves have used your information.
Monitor your credit score for unexpected drops, which might indicate fraudulent accounts affecting your credit history.
Tax-Related Identity Theft
If Social Security numbers were breached, criminals may file fraudulent tax returns claiming refunds in your name. File your legitimate return early to get ahead of potential fraudsters.
Consider obtaining an Identity Protection PIN from the IRS. This six-digit number is required on your return to verify your identity, blocking fraudulent returns using your Social Security number.
If you receive IRS notices about returns you didn't file or income you didn't earn, respond immediately—this likely indicates tax-related identity theft.
If You Become a Victim
If identity theft occurs, report it to the Federal Trade Commission at IdentityTheft.gov. This creates an official identity theft report and provides a personalized recovery plan.
File a police report if significant fraud occurs. While police may not investigate, the report documents the crime and may be needed when disputing fraudulent accounts.
Notify the fraud departments of companies where fraudulent accounts were opened. Send written disputes with copies of your identity theft report. Under federal law, companies must investigate and remove fraudulent information.
Medical and Insurance Breaches
Healthcare breaches pose special risks. Monitor your medical records for unfamiliar treatments or diagnoses—medical identity theft can result in incorrect information in your health records, affecting your care.
Review your insurance statements (Explanation of Benefits) for services you didn't receive. Report discrepancies to your insurer immediately.
Getting Legal Help
If you suffer actual financial losses or significant harm from a data breach, you may have legal claims against the company that failed to protect your information. Many breach victims can join class action lawsuits seeking compensation for the company's negligence. A consumer protection attorney can evaluate whether you have claims worth pursuing individually or whether joining a class action makes sense. Even if damages seem small individually, companies should face consequences for failing to protect the data entrusted to them.