Since Privacy Rights Clearinghouse (PRC) began tracking data breaches in 2005, our records show that more than 563 million records have been reported leaked. This number is significantly lower than the actual figure, however. In many cases, the number of exposed records is either not known or is not reported to the news media or to state and federal reporting authorities.
In most states, businesses are required by law to notify individuals when a data breach compromises personal information that is likely to lead to financial identity theft. Even when it is not required by law, many companies will notify customers as a courtesy. This means there is a very good chance you will receive a breach notification at some point.
In our latest short film, Data Breaches: Know Your Rights, we explore how a typical consumer may respond to such a notification. The film is the fifth in a six-part YouTube series on important privacy topics.
In the 4-minute film, Mr. Jackson is alarmed and confused when he receives a letter from his bank notifying him that an employee's laptop was stolen. The laptop contained customer data including his Social Security number and other personally identifiable information. His adult son, Luke, turns to PRC's website to find out what to do. Watch the video to see what happens.
What to Do if a Data Spill Includes Your Information
Above all, don't panic. A data leak does not necessarily mean that you will become a victim of identity theft.
The first step is figuring out what type of information was exposed:
- Social Security numbers – In breaches where Social Security numbers are exposed, new account fraud is possible. New account fraud occurs when a criminal uses your Social Security number to open a line of credit and goes on a spending spree.
To protect yourself from new account fraud, we recommend you order your credit report and request a fraud alert immediately, monitor your credit report regularly thereafter and consider a security freeze. A security freeze provides the greatest protection from identity theft, but may not be the most convenient choice for everyone.
- Credit and debit card numbers – With your credit or debit card number, a thief could commit existing account fraud. Existing account fraud occurs when a criminal uses your financial account information to rack up debt in your name.
If you are at risk of existing account fraud, check your statement online on a daily basis, and look for transactions you did not make. In some cases, the breached financial institution will cancel your card on its own and issue you a new one. If the exposed data includes debit card numbers, you should immediately request that the card be cancelled.
- Names and email addresses – Even though this information may seem harmless, if it is leaked you may become the target of spear phishing. Spear phishing is when a criminal sends you an email that sounds and looks like it’s from a company you have an existing relationship with. For example, a spear-phishing message might address you by name. A message may look something like this: "Hello Ms. Anderson, Because of the recent hacking incident affecting some Acme customers, we are asking you to visit this website [URL provided] and update your security settings.” The email will try to convince you to “bite” on the bait and go to that website, and then divulge other information like your Social Security number and credit card number. Identity theft could then result.
To protect yourself from spear-phishing attacks, never enter your personal information into a website after following a link from an email. Always go to the company website on your own or call the company to confirm the email’s legitimacy.
Often, the breached company will offer the affected customers free credit monitoring service. We recommend that you accept this offer, but be sure to mark the date the coverage is scheduled to end. Call the company and confirm that you no longer want the service, if that indeed is your decision upon the expiration of the free service. Otherwise, you could end up being charged for the service after the free subscription period has ended.