Here’s What You Should Do After a Data Breach

Quick Answer

If you’re notified that your personal information was exposed in a data breach, act immediately to change your passwords, add a fraud alert to your credit reports and consider placing a security freeze on your credit reports.

Mature woman shows some paperwork to her partner who seems concerned

Data breaches are incidents in which confidential information, including consumer data, is stolen from a company or organization. In the first half of 2024, the number of data breach victims surpassed 1 billion, according to the nonprofit Identity Theft Resource Center. That's a 490% increase from the same time last year, when the number of recorded victims was about 183 million.

If your personal information was exposed in a data breach, the breached company may notify you. It's important to act quickly to secure your accounts and take preventive measures against fraud. Here are six steps to take if your information is exposed in a data breach.

1. Find Out What Data Was Compromised

The measures you should take after a data breach depend on what information was exposed. Data breach notification letters often tell you what types of sensitive information may have been stolen.

Sensitive information that could wind up in the hands of criminals or on the dark web after a data breach includes:

  • Your full name
  • Email addresses
  • Your date of birth
  • Biometric data
  • Passwords and passcodes
  • Mailing addresses
  • Your Social Security number

The risk that you could become a victim of fraud after a data breach depends in part on the type of data that was compromised. Some types of data pose less threat when compromised than other types.

For example, if your name and email address are stolen, the impact may just be some spam sent to your inbox. On the other hand, if highly sensitive data is exposed in a breach, the risk of fraud is higher. For example, if your Social Security number is exposed in a data breach, you may be at a heightened risk for identity theft or fraudulent credit applications in your name.

2. Secure Your Accounts

Starting with any accounts specified in the breach notification, update the passwords and PINs you use to log in to your bank and credit card accounts. Accounts affected directly in a breach are at greatest risk, but access to any of your personal information heightens the risk that your other accounts could also be compromised.

If you aren't already doing so, start implementing these good password hygiene practices to mitigate account security risks:

  • Don't reuse passwords. Use unique passwords for each of your online accounts. Otherwise, a thief who's obtained login information for one account could be able to use the same information to gain access to others.
  • Consider a free password manager. Password managers generate unique, secure passwords and remember them for you. All you have to remember is one master password. There are many free options available, but password managers that charge a subscription fee may provide more robust features.
  • Enroll in two-factor authentication. Two-factor authentication requires you to get a confirmation code via text message or email before each login, to prove you're you. It adds a small step to the sign-in process, but it makes it much harder for password thieves to gain access.

3. Monitor Your Financial Accounts and Credit Reports

Keep tabs on your bank and financial accounts and set up any available alerts to notify you of activity on the account. Staying aware of unusual or unexpected activity on your account lets you detect potential scams early and allows you to report or investigate them promptly.

Checking your credit report also can help you identify any unusual activity related to credit fraud and identity theft, such as the creation of loan or credit card accounts you don't recognize and the addition of unfamiliar addresses to your personal information. You can check your credit report for free through Experian, and check your reports from all three credit bureaus for free at AnnualCreditReport.com.

Free credit monitoring from Experian automates the process of checking your Experian report by sending you emails or text messages anytime there's new activity on your Experian credit report.

4. Initiate a Fraud Alert

You have the right to initiate a fraud alert with all three credit bureaus. Active fraud alerts notify lenders processing credit applications in your name that you may be a victim of fraud or identity theft and instructs them to take additional steps to verify your identity before moving ahead with the application.

When you add a fraud alert to your Experian credit report (or to your report at either of the other two national credit bureaus, TransUnion or Equifax), the alert is automatically applied to your credit reports at all three bureaus.

Initial fraud alerts remain on your credit report for one year, but you can renew them. You can also request an extended fraud alert that lasts seven years.

5. Freeze or Lock Your Credit File

Though potentially more inconvenient than a fraud alert, you might consider applying a free security freeze, which limits access to your credit report at a specific credit bureau. You have the right to freeze your Experian credit report, and you can separately freeze your credit reports at Equifax and TransUnion.

Freezing your credit at all three bureaus helps protect your credit file from scammers and other criminals who may apply for credit in your name. However, it will also prevent creditors from accessing your credit for legitimate credit applications. If you want to allow a lender to view your credit reports (as when applying for a credit card or loan), you must first unfreeze your credit reports.

Locking your credit file is another way to protect yourself from fraudulent credit applications being submitted in your name. You can lock and unlock your Experian credit file with CreditLock.

6. Look Out for Signs of Scams

Criminals can use data exposed in breaches to commit targeted acts of phishing by convincing you their communications are from a legitimate source (such as your bank or a government official). Their goal may be to con you into handing over more sensitive information, or to trick you into providing access to your financial accounts.

Being aware of these common signs of phishing attempts can help you stay defensive:

  • Messages that urge you to act immediately using implied or explicit threats, such as "act now to avoid losing access to your account" or "this is your final chance to extend your home warranty"
  • Unusual sender email addresses
  • Attachments from companies or organizations that don't typically include them
  • Requests for information the sender should already have (for example, your bank requesting you confirm your account number)

The Bottom Line

Exposure of your personal information in a data breach is a downside to the convenience of digital transactions and e-commerce. It's wise to be prepared in case it happens to you, and to act quickly if it does to minimize the potential damage.

If you're the victim of a breach, take a breath, try not to panic and follow these steps. If you confirm your data has been stolen or misused, act immediately and report the matter to appropriate authorities.