So Your Data Has Been Leaked – Now What?

Read All Alerts and Notifications From the Compromised Organization

Once an organization confirms there has been a breach, they are required by law to let consumers know – and they will likely post ongoing updates and disclosures about which customers were affected and how. So once you’re alerted, look for the very latest information and find out exactly what of yours was stolen – your username, password, payment information, Social Security number or other identifying information – so you know exactly what you’ll be targeting in these next steps. Also, consider the breached organization’s offers to help: They may suggest outside resources or offer services like credit monitoring or other protections. These can be valuable, but make sure you read any fine print – you might decide to take care of these things on your own.

Change Your Passwords

Many who get harmed by hackers are those who put up the least amount of resistance – there are some thieves who will just drop you as a target if your passwords have already changed. Before you do anything else, make sure you change your online passwords for accounts with sensitive information, especially financial data. Spend a moment brainstorming the most important and sensitive data you have online (like banking accounts, email and medical information) and change those passwords first.

If you have reused the password of the breached site for any accounts elsewhere, change those as well. While it might be incredibly tempting to reuse passwords, the truth is if your data is breached in a single location, these nefarious agents will have a skeleton key to your life. A different password for every online account is crucial. Thankfully, it’s easier than ever to manage all your passwords. A trusted password manager can keep track of all your passwords, which means you’ll only really have to remember one password (to the password manager device itself). Make sure that password is long, complicated but also easy for you to recall.

Sign Up for Two-Factor Authentication

Whenever you can, enable two-factor authentication for everything that requires a password. Every time someone logs into an account of yours, they are put in a waiting room of sorts until the log-in attempt is approved through an app or text message on your phone – the phone you’re holding in your hand. No password is that valuable if it’s only step one in a process that your personal physical device must complete. Even if you aren’t currently affected by a data breach, this practice is strongly recommended.

Alert Your Financial Institutions

A difficult aspect of having your information leaked is that you don’t know exactly what was taken – while organizations will issue disclosures about what they know to be compromised, there can be a domino effect where a data leak results in other information about you being gleaned outside of the breach. Assume your debit and credit cards are compromised and get them cancelled and replaced. While this can be annoying, it instantly and considerably reduces your risk. If you suspect you have been fully compromised, placing a fraud alert on your credit ensures any recent or new requests get scrutinized. (This is different from freezing your credit, which we will discuss later in the article. Freezing your credit might not be possible for you right away, depending on what activity is occurring in your life, and will not prevent someone from using a debit or credit if they already have all the needed data.)

Baird also encourages all clients to establish a trusted contact – providing another layer of safety on your account by authorizing someone who can help your Baird Financial Advisor connect with you in situations of potential fraud.  

Watch Your Accounts and Check Your Credit Reports

Pore over your credit reports, starting at the present and working your way back to the date of the reported breach. Report anything you find suspicious or don’t remember. Financial institutions are adept at managing fraud and helping you recover, so the sooner you alert them to any specific out-of-place activity, the better. Then, moving forward, stay vigilant and on top of your account activity – both the account from the organization that suffered the breach but also your financial accounts, so that you can flag and report anything out of the ordinary as soon as possible.

Freeze Your Credit

The only surefire way to safeguard your credit after a breach is by freezing it. Start by creating an account with each of the three main credit bureaus (Experian, Transunion, Equifax) and place a freeze on your credit for free. When you want to do anything with your credit (open a new line, get a new card, refinance, buy a car, etc.), you contact the agencies and put a “thaw” on your credit temporarily; once you’ve accomplished what you wanted, contact the agencies again and refreeze them.

This may feel like a hassle, but it certainly pales in comparison to the hassle of undoing credit fraud. Freezing your credit significantly hampers any would-be identity thieves from taking advantage of your credit. Assuming you have two-factor authentication enabled, in order for someone to mess with your credit, they would have to have your name, username, password, email and phone number and have access to your physical phone.

Delete Your Data

Everywhere you go online, you leave digital fingerprints – traces of information about you that can be used in a lot of different ways. Data brokers collect vast amounts of personal information and sell it to advertisers, scammers, identity thieves – and hackers who may have already scraped your data in a breach. This sort of data can be phone numbers and email and home addresses, but it can also be your mother’s maiden name, your first pet’s name (and other security question information) as well as non-vital but still personal information that can be used for phishing scams (see below). You can contact data brokers to request all information they’ve collected on you be deleted, and they are legally required to comply – however, there are dozens and potentially hundreds of data brokers, so such a task seems daunting. Fortunately, there are data cleanup services that, for a reasonable cost, will contact all these outfits on your behalf. They can remove almost all your personal data from the ether and guide you on how to remove the rest.

Watch for Phishing Scams

Phishing – fraudulent communications that appear to come from a legitimate source – is one of the most common social engineering attacks. The goal is to trick people into providing sensitive information innocently. These can often be sent to many people at once just to see what they can catch, but spear phishing is when individuals are targeted, and if someone hacked an account and got information about you, they may be able to target you quite effectively. These messages can be incredibly customized and personal, making it even more convincing. Following a data leak, exercise a bit of caution with incoming calls and emails and verify any communication before providing any sensitive information. A legitimate organization won’t ask for sensitive information (such as account numbers or login credentials) via email or text. A safe practice is to always search the inquiring organization’s phone number and give them a call back.

Consider Prevention Services

Identity theft protection services can protect you by monitoring credit files, alerting you of any suspicious activity and helping you recover lost money and repair your credit score if you become a victim of identity theft. If you were the victim of a substantial breach, the impacted organization will often offer free credit monitoring, but you’ll have to sign up for it, and you may want to do some of your own research on alternatives. Baird offers our clients a third-party service that will provide identity theft protection and help you delete your online personal data.