Data Breaches: Why You Should Care and What You Should Do

22.4 Million Sensitive Records Breached So Far this Year
Was Yours among Them?

Have you been hearing the term “data breach” in the news a lot recently? That’s because there has been a string of sensational breaches from corporate giants like Sony, Epsilon, Citigroup, and Lockheed Martin. A data breach is when a company inadvertently leaks your personal information as a result of a hack attack, lost or stolen computers, fraud, insider theft, and more.

Tracking the Breaches

Privacy Rights Clearinghouse has been tracking breaches since 2005 and publishes a Chronology of Data Breaches. The Chronology counts the number of records leaked that contain information useful to identity thieves, such as Social Security numbers, financial account numbers, driver's license numbers – and in some states, medical information. So far in 2011, we’ve tracked 275 breaches involving 22.4 million sensitive records. In truth, the number of breached records is much higher because for many breaches the true number of breached records is unknown. To learn more about our Chronology, read our FAQ.

What’s the Big Deal?

The risk with a data breach is that your personal information will get into the hands of the bad guys. Companies may give you a false sense of security by reporting that there was “no evidence of harm” as a result of a breach, but how do you know today’s breach is not connected to tomorrow’s identity theft? When your data is stolen from a company, there’s a good chance thieves will sell it on online criminal forums. It’s virtually impossible to follow the bread crumbs. What we do know from a 2009 Javelin study is that you are four times more likely to suffer identity theft if you’ve been the victim of a data breach.


What to Do if a Data Breach Happens to You

If you receive a letter or email informing you of a data breach, or read a news story about a company you do business with, read PRC’s Fact Sheet 17b: How to Deal with a Security Breach. The following is an overview of what Fact Sheet 17b covers.

There are three possible outcomes, depending on the type of information that was leaked:

  1. Social Security numbers – In breaches where Social Security numbers are exposed, new account fraud is possible. New account fraud is when a criminal uses your Social Security number to open a line of credit and goes on a spending spree.

    To protect yourself from new account fraud, we recommend you monitor your credit reports regularly and consider a security freeze. Read this PDF to learn how to freeze your credit files.
  2. Credit and debit card numbers – With your credit or debit card number, a thief could commit existing account fraud. Existing account fraud is when a criminal uses your financial account information to rack up debt in your name.

    If you are at risk of existing account fraud, check your statement online on a daily basis, and look for transactions you did not make. Consider closing your account entirely. In some cases, the breached financial institution will cancel your card on its own and issue you a new one.

    On a related note, we strongly recommend that you do not use debit cards at all. If you are a victim of fraud involving your debit card, your checking account could be wiped out. The bank is likely to replenish the funds, but not until it conducts an investigation, which could take several weeks. To learn more, read PRC's Fact Sheet 32: Paper or Plastic: What Have You Got to Lose?
  3. Names and email addresses – With this seemingly innocuous information, you may fall prey to spear phishing. Spear phishing is when a criminal sends you an email that sounds and looks like it’s from a company you have an account with because it addresses you by name. A spear-phishing message might say, for example, "Hello Mr. Anderson, Because of the recent hacking incident affecting some Acme customers, we are asking you to visit this website [URL provided] and update your security settings.” The email will try to convince you to “bite” on the bait and go to that website, and then divulge other information like your Social Security number and credit card number. Identity theft could then result.

    To protect yourself from spear-phishing attacks, never enter your personal information into a website after following a link from an email. Always go to the company website on your own or call the company to confirm the email’s legitimacy.

Often, the company that was breached will offer the affected customers free credit monitoring service. We recommend that you accept this offer, but be sure to mark the date the coverage is scheduled to end. Call the company and confirm that you no longer want the service, if that indeed is your decision upon the expiration of the free service. Otherwise, you could end up being charged for the service after the free subscription period has ended. We explain the low-cost alternatives to monitoring services in PRC’s Fact Sheet 33: Identity Theft Monitoring Services