Key actions will help limit impact of a data breach: Internet Scambusters #462
Chances are high that, if you haven't already been victim of a data breach, you will one day.
What you do next depends on the seriousness of the breach, but in a worst case scenario you must batten down the hatches -- setting up fraud alerts on your credit report and even closing bank and credit card accounts.
This week, we explain the risk of a data breach and outline the actions you can take in response.
What to Do If You're a Data Breach Victim
Up to 20 million Americans may become victims of a data breach this year, in one or more of an estimated 400 incidents.
That's if trends that marked the halfway stage for the year are anything to go by -- 220 breaches of data, affecting more than 12 million people, at the end of June.
A data breach happens when a hacker gains access to a computer that contains personal records of individuals, or a disk or other device containing records is lost or stolen.
These may be stored by a business or other organization -- a hospital for instance -- and the records may hold information ranging from simple contact details like home or email addresses, to highly sensitive and confidential information like credit card numbers and health records.
Hacking is not a rare event. In a recent survey by Ponemon Networks, an incredible 90% of the 600 businesses polled said they'd been hacked.
Fortunately, these cyber break-ins don't always find personal records. Or, if they do, they're often not used for identity theft.
In fact, according to a report by Carnegie Mellon University, the likelihood of becoming an ID theft victim if your details are accessed through a breach of data is around 2%.
And the online encyclopedia, Wikipedia, claims that in one of the worst-ever breaches of data, only 1,800 of the 4 million records affected actually led to ID theft.
But still, with the sort of numbers seen so far this year, everyone whose records are online is potentially vulnerable to a data breach.
Options for Data Breach Victims
That raises the question of what you should do once you learn you're a victim.
First, it's important to know that most states require organizations whose data is stolen to send out a data breach notification to all victims.
At the time of writing, a few still don't. (You can check which ones in States with Laws Requiring Consumer Notification of ID Theft -- though we can't vouch for its accuracy).
Note: What's important is the state where the breach of data occurred is based, not where you happen to live.
And, of course, even in states where notifying you is not mandatory, most firms accept the moral obligation to send out a data breach notification.
What you do next depends on the severity of the incident and the willingness of the organization and others to help you.
Bearing this in mind, here's a countdown of actions you should either take or consider:
1. First, check if the notification you received is genuine.
Sounds obvious doesn't it? But that letter or email you got could be bogus -- from a crook trying to get you to give away key personal information.
Before taking further action, check online for reports of a data breach or, if necessary, contact the organization (using their phone directory listing, not the number on the notification) to ensure it's legit.
2. Assuming it's genuine, establish exactly what sort of information has been disclosed since that will dictate what you do next.
The data breach notification may tell you exactly what's been stolen but, more likely, they'll say data has been compromised and they're not even sure if you're among the victims or precisely what information has been accessed.
In that case, assume the worst. If the organization has your credit card info, assume the thieves now have it.
3. Establish what help the organization plans to give you.
Mostly, they're not legally obliged to do anything beyond notifying you, but these days many offer to pay for services that monitor your credit records to see if anyone's using your details.
If this service is offered, take it.
If the firm doesn't make the offer, ask them. Usually, the data breach notification letter will contain a helpline number you can call, or contact their main number.
4. As a matter of routine, take the following steps:
* Change, delete and replace any email addresses the organization may have used for you.
* Change passwords you may have used with them. That is, obliterate every single usage of the password, even with organizations not connected with the incident.
Incidentally, hackers sometimes just steal information for the heck of it and then release the email addresses and passwords to show what they've done.
* Monitor media coverage of the data breach to ensure you're up-to-date with the scale and nature of the incident.
* Double up on your phishing vigilance.
As we stated in #1 above, once someone has your email or postal address they may contact you asking for information, posing as the organization that suffered the data breach.
So, even if you know there's been a data breach, don't just give out information about yourself in response to a letter. Check it carefully.
Hacked organizations aren't likely to ask you for any confidential information anyway. They already have it.
5. Now for some specifics for more serious data breach theft. If any financial information or your Social Security number have been stolen, here are some actions you can take:
* Ask the bank to notify you of any suspicious activity conducted in your name.
* Put a fraud alert on your credit records. This will flag-up a warning sign if anyone tries to gain credit using your name.
Most credit issuers, including retailers and card companies, always check these reports before allowing credit.
The credit reporting agencies won't necessarily tell you when this happens but it will make your account information worthless to the crooks for opening new accounts.
* Keep close tabs on your credit card and bank accounts to detect any unusual activity -- daily if you monitor them online.
* If you're really worried, consider asking your bank and/or credit card company to cancel your accounts and open new ones, issuing new cards.
The Golden Rule
A couple more things to know:
First, the theft of your Social Security number is potentially the most harmful since you can't just cancel your SSN and get another one.
Look out for a forthcoming Scambusters issue dealing with protecting your Social Security number.
Second, if your information is stolen in a data breach, you must be vigilant for a long time.
Stolen financial data, like credit card numbers, are traded in the criminal black market and take years to be used.
Finally, the golden rule: Assume your personal information will one day be stolen in a data breach, because it probably will, so be careful how you spread those details around!
That's it for today -- we hope you enjoy your week!