In the past five years, data breaches have led to nearly 4.5 billion accounts being compromised. Here is what you should do when you are involved in a data breach.
The latest major corporation in the news for a data breach is British Airlines. The hacker group known as Magecart was able to plant a payment skimmer on the British Airways homepage and steal roughly 380,000 credit card numbers. Corporations control staggering amounts of personal data and when they are breached, their customers are forced to scramble to protect themselves and their finances. Despite all the evidence to the contrary, most people seem to the think they will never be affected by a data breach. There are several causes for this, from corporations wanting to minimize the scale of the problem, to the fact that cybersecurity rarely gets the coverage or attention it deserves.
It is likely that you will be a victim of a data breach at least once in your lifetime, if you have not been already. This article goes over what you should do in the event that a corporation fails to secure your data.
The first challenge is simply finding out whether you have been a victim of a data breach. There are websites, such as haveibeenpwned.com, that can help you identify if your account has been compromised, but it is not fool proof and can result in false-positives. Unfortunately, it is hard to be certain until the corporation that suffered the leak contacts you.
Once you receive that dreaded email, you are on the clock. Time is of the essence after a data breach. It is much easier to prevent a hacker from using your personal data than to clean up from the identity and data theft afterwards. Start this checklist immediately after you learn you were the victim of a data breach:
1. Figure out what data has been stolen
When the corporation emails you to alert you that your data may have been compromised in a breach, they should also inform you what data was stolen. However, it is better to try and remember what data that organization had access to and just assume that it was all stolen. It can be hard to fully appreciate the scope of data breaches until months later and you do not have that time.
When hackers steal data, their goal is generally to steal credit card information or enough personal data to steal your identity. They can then use these for fraudulent purchases, to take out loans, or commit other crimes. This means they are looking for names, birthdates, social security numbers, credit card or ATM card numbers, bank account numbers, and payment-card security codes. If you use the same password for multiple services, then these are also high-value targets.
With your credit card number and its security code, a hacker can use your card for fraudulent purchases. With your bank account information, they can monitor your finances. With your name and social security number, they can steal your identity.
2. Contact relevant financial institutions
As soon as you know that a credit card or ATM card number was stolen, you need to contact the bank or organization that issued you that card. Financial institutions have dealt with enough data breaches by now to immediately cancel your card and issue you a new one if you tell the customer representative (be sure to speak with a person) that your data was stolen in the breach of X company. Ideally, you will have alerted the bank before any fraudulent purchases have taken place. If you are in the US, then the maximum allowable liability under Consumer Protection Bureau regulations is $50, but it is likely that you will not be charged anything.
However, if the hacker is able to make purchases before you alert your bank or other financial institution, then ATM cards and credit cards follow very different rules. The information below is based on Consumer Protection Bureau regulations. Your individual bank will likely have its own policy but they must be within these regulations.
With a credit card, you can report the card stolen or missing at any time and the maximum liability you could face would be $50, if that, depending on your financial institution’s polices. If fraudulent purchases show up on your monthly billing statement, you have up to 60 days to dispute the charges in writing. The credit card company then has 90 days to resolve the issue.
The regulations governing debit cards offer consumers much less protection against fraud. Again, individual bank policies will vary, but US law only requires that you have at least two days after a fraudulent purchase is reported to dispute it to qualify for the limited $50 liability. After that, you may be liable for up to $500 of the fraudulent charges. And if you do not tell your bank that your data was stolen within 60 days of fraudulent purchases, you could be liable for all charges.
3. Change your passwords
If you follow password best practices (e.g. you use strong, unique passwords for each account and enable two-factor authentication where possible) then only changing the password of the affected account should be necessary. If you use the password of the account that was hacked in multiple places, then it should be changed everywhere it is used. You should assume that once the hacker got your email and password from this data breach, they immediately began searching for your other accounts. When creating these new passwords, make sure you replace them with strong, unique passwords to avoid this situation in the future. The easiest way to keep track of all these new passwords is to use a password manager.
If you fear that your banking information was stolen, then changing your ATM PIN should be part of this step as well.
4. Place a fraud alert with credit reporting bureaus (US only)
There are four main credit reporting bureaus in the US: Equifax, Experian, Innovis, and TransUnion. You should request a fraud alert (also known as a credit alert) on your account. This means these organizations will inform you anytime someone tries to access your credit score or open a new credit card in your name. You do not need to provide any reason for why you are placing a fraud alert and once you have placed an alert, you will receive a free credit report. These alerts last for 90 days and are free of charge.
If you want additional protection, you can request a credit freeze, also known as a security freeze. To start a credit freeze, you can use the phone numbers above or the links here for Equifax, Experian, Innovis, and TransUnion. Credit freezes are free and they prevent anyone not already in business with you from running a credit report or opening a new account without your express permission.
5. Protect yourself from future breaches
Part of this means taking steps to better secure your personal data but it also means choosing to do business with organizations that take privacy and data security seriously. ProtonMail uses zero-access encryption and ProtonVPN has a strict no-logs policy, both of which limit the amount and type of data that is available in the highly unlikely case of a breach. Zero-access encryption means that ProtonMail does not have access to your encryption keys. Thus, in the unlikely event of a breach at ProtonMail, your emails will remain secure.
Data breaches will always be a threat as long as mass amounts of data are transferred and stored online. While corporations have a responsibility to do their utmost to protect customer data, customers must be prepared to act in the event that they fail. We hope you never need to use this checklist. We hope that in the future organizations will take data security and privacy more seriously. Until that day arrives, we will be here to help.
The ProtonVPN Team
To get a free ProtonMail encrypted email account, visit: protonmail.com