Data Breach Advice

   read

Did you recently get a notice that says your personal information was exposed in a data breach? Did you lose your wallet? Or learn that an online account was hacked? Depending on what information was lost, there are steps you can take to help protect yourself from identity theft.

  • Be extra careful about emails and attachments.  Avoid clicking on links or downloading attachments from suspicious emails that claim to be updates from any company connected to a data breach. Learn More
  • Use Two-factor authentication.  Two-factor authentication adds a second level of authentication to an account log-in. When you have to enter only your username and one password, that's considered a single-factor authentication. 2FA requires the user to have two out of three types of credentials before being able to access an account. Learn More
  • File your taxes promptly. While thieves may use stolen information to create fraudulent bank accounts, they may also use it to file fraudulent tax returns. File your taxes as soon as you have the tax information you need and respond promptly to letters sent to you by the IRS. Note that the IRS will never communicate with you via email, so watch out for this type of fraud and don’t open emails purporting to be from the IRS
  • Check your Credit Cards accounts often. Reviewing your recent account activity is fundamental to credit card safety—and it’s easy. You can do it online or by phone. If your credit card issuer offers email or text alerts about unusual activity, sign up to receive them.
  • Monitor credit reports.  Check your credit report for any accounts that crooks may have opened in your name. Credit reports are available for free, from each of the three national credit reporting agencies — Equifax, Experian and TransUnion — every 12 months from http://www.AnnualCreditReport.com. Some monitoring services and credit card companies now allow you unlimited access to credit information, so you could theoretically check every day. 
  • Order specialty free reports outside of the big three credit reporting agencies.  Specialty reporting companies may disclose information that can help prevent fraudulent accounts and other identity theft crimes:

    LexisNexis Full File Disclosure. It’s one of the more comprehensive databases out there, containing all the information LexisNexis gathers to create its various reports about you. And, like credit reports, you can order one free copy per year. Please visit: https://personalreports.lexisnexis.com/access_your_full_file_disclosure.jsp

    Complete List: For a complete list, please visit the Consumer Protection Financial Bureau at: http://files.consumerfinance.gov/f/201604_cfpb_list-of-consumer-reporting-companies.pdf

    What to do if you suspect credit card fraud. Call the bank or financial institution that issued your card immediately. Your issuer may want to cancel your current card and issue you a new one. Check with your issuer to verify that your mailing address has not been changed.

    If you still have your card but fraudulent purchases have been made, call your issuer to report the fraud and request a new card. Also, contact the credit bureaus to let them know that fraud has occurred. A "Fraud Alert" message will be placed on your file. You should also request a copy of your credit report and review it carefully. Learn More


The following information on how to protect against potential data breaches.

For Consumers:

  1. CONSIDER ANOTHER WAY TO PAY - Try newer ways to pay, such as PayPal or Apple Pay. Any technology that avoids you having your credit card in your hand in a store is safer. Those services store your credit card information and it's not given to the retailer when you make a payment. Stored-value cards or apps, such as the ones used at coffee chains Starbucks and Dunkin Donuts, are also a safer bet, because they don't expose credit card information at the register.
  2. SIGN IT, DON'T PIN IT - If you're planning on paying with a debit card, sign for your purchase instead of typing in your personal identification number at the cash register. You can do this by asking the cashier to process the card as a credit card or select credit card on the display. Not entering your PIN into a keypad will help reduce the chances of a hacker stealing that number too. Crooks can do more damage with your PIN, possibly printing a copy of the card and taking money out of an ATM. 
  3. BEWARE OF EMAIL SCAMMERS - After big data breaches are exposed, and get a lot of media attention, scammers come out of the woodwork looking to steal personal information. Some emails may mention the latest breach or offer free credit monitoring, but you should never click on the links. Many are for fake sites that try to steal personal information or passwords. 
  4. KEEP UP WITH CREDIT CARD ACTIVITY - Review credit card activity often for any unauthorized charges. And keep an eye out for smaller charges. Thieves will charge smaller amounts to test to see if you notice and then charge a larger amount later. They may also steal a small amount from millions of accounts, scoring a big payday.  Also, take advantage of the many alert features that credit cards companies offer today
  5. MONITOR CREDIT REPORTS - Check your credit report for any accounts that crooks may have opened in your name. Credit reports are available for free, from each of the three national credit reporting agencies — Equifax, Experian and TransUnion — every 12 months from http://www.AnnualCreditReport.com  Some monitoring services and credit card companies now allow you unlimited access to credit information, so you could theoretically check every day.

For Small Businesses:

  1. Keep Only What You Need.  Reduce the volume of information you collect and retain to only what is necessary. Minimize the places you store personal data. Know what you keep and where you keep it.
  2. Destroy Before Disposal.  Cross-cut shred paper files before disposing of private information. Also destroy CDs, DVDs and other portable media. Deleting files or reformatting hard drives does not erase data. Instead, use software designed to permanently wipe the drive, or physically destroy it.
  3. Safeguard Data.  Lock physical records in a secure location. Restrict access to employees who need to retrieve private data. Conduct employee background checks and never give access to temporary employees or vendors.
  4. Safeguard Data Privacy.  Employees must understand that your privacy policy is a pledge to your customers that you will protect their information. Data should only be used in ways that will keep customer identity and the confidentiality of information secure. Of course, your employees and organizations must conform to all applicable laws and regulations.
  5. Update Procedures.  Do not use Social Security numbers as employee ID or client account numbers. If you do so, develop another ID system now.
  6. Establish Password Management.  A password policy should be established for all employees or temporary workers who will access corporate resources. In general, password complexity should be established according to the job functions and data security requirements. Passwords should never be shared.
  7. Secure All Computers.  Implement password protection and require re-logon after a period of inactivity. Train employees to never leave laptops or PDAs unattended. Restrict tele-working to company-owned computers and require use of robust passwords that are changed regularly.
  8. Control Use of Computers.  Restrict employee use of computers to business. Don't permit use of file sharing peer-to-peer websites. Block access to inappropriate websites and prohibit use of unapproved software.
  9. Keep Security Software Up-To-Date.  Keep security patches for your computers up to date. Use firewalls, anti-virus and spyware software; update virus and spyware definitions daily.
  10. Encrypt Data Transmission.  Mandate encryption of all data transmissions. Avoid using Wi-Fi networks; they may permit interception of data.
  11. Manage Use of Portable Media.  Portable media, such as DVDs, CDs and USB "flash drives," are more susceptible to loss or theft. Allow only encrypted data to be downloaded to portable storage devices.
  12. Establish an Approval Process for Employee-Owned Mobile Devices.  With the increased capabilities of consumer devices, such as smart phones and tablets, it has become easy to interconnect these devices to company applications and infrastructure. Use of these devices to interconnect to company email, calendaring and other services can blur the lines between company controls and consumer controls. Employees who request and are approved to have access to company information via their personal devices should understand and accept the limitations and controls imposed.
  13. Govern Internet Usage.  Most people use the internet without a thought to the harm that can ensue. Employee misuse of the internet can place your company in an awkward, or even illegal, position. Establishing limits on employee internet usage in the workplace may help avoid these situations. Every organization should decide how employees can and should access the web. You want employees to be productive, and this may be the main concern for limiting internet usage, but security concerns should also dictate how internet guidelines are formulated.
  14. Manage Email Usage.  Many data breaches are a result of employee misuse of email that can result in the loss or theft of data and the accidental downloading of viruses or other malware. Clear standards should be established regarding use of emails, message content, encryption and file retention.
  15. Govern Social Media.  All users of social media need to be aware of the risks associated with social media networking. A strong social media policy is crucial for any business that seeks to use social networking to promote its activities and communicate with its customers. Active governance can help ensure employees speak within the parameters set by their company and follow data privacy best practices.
  16. Oversee Software Copyright and Licensing.  There are many good reasons for employees to comply with software copyright and licensing agreements. Organizations are obliged to adhere to the terms of software usage agreements and employees should be made aware of any usage restrictions. Also, employees should not download and use software that has not been reviewed and approved by the company.
  17. Report Security Incidents.  A procedure should be in place for employees or contractors to report malicious malware in the event it is inadvertently imported. All employees should know how to report incidents of malware and what steps to take to help mitigate damage

How Data Breaches Occur 

  • Lost or stolen laptops, computers or other computer storage devices
  • Backup tapes lost in transit because they were not sent either electronically nor with a qualified human escort
  • Hackers breaking into systems
  • Employees stealing information or allowing access to information
  • Information bought by a fake business
  • Poor business practices - for example sending postcards with Social Security numbers on them
  • Internal security failures
  • Viruses, Trojan Horses and computer security loopholes
  • Information tossed into dumpsters - improper disposition of information  

What information was lost or exposed?

  • If a company responsible for exposing your information offers you free credit monitoring, take advantage of it.
  • Get your free credit reports from annualcreditreport.com . Check for any accounts or charges you don’t recognize.
  • Consider placing a credit freeze . A credit freeze makes it harder for someone to open a new account in your name.
    • If you place a freeze, be ready to take a few extra steps the next time you apply for a new credit card or cell phone – or any service that requires a credit check.
    • If you decide not to place a credit freeze, at least consider placing a fraud alert .
  • Try to file your taxes early — before a scammer can. Tax identity theft happens when someone uses your Social Security number to get a tax refund or a job. Respond right away to letters from the IRS.
  • Don’t believe anyone who calls and says you’ll be arrested unless you pay for taxes or debt — even if they have part or all of your Social Security number, or they say they’re from the IRS.
  • Continue to check your credit reports at annualcreditreport.com . You can order a free report from each of the three credit reporting companies once a year.
  • Log in to that account and change your password. If possible, also change your username.
    • If you can’t log in, contact the company. Ask them how you can recover or shut down the account.
  • If you use the same password anywhere else, change that, too. Learn more about password here
  • Is it a financial site, or is your credit card number stored? Check your account for any charges that you don’t recognize.
  • Contact your bank or credit card company to cancel your card and request a new one.
  • Review your transactions regularly. Make sure no one misused your card.
    • If you find fraudulent charges, call the fraud department and get them removed.
  • If you have automatic payments set up, update them with your new card number.
  • Check your credit report at annualcreditreport.com .
  • Contact your bank to close the account and open a new one.
  • Review your transactions regularly to make sure no one misused your account.
    • If you find fraudulent charges or withdrawals, call the fraud department and get them removed.
  • If you have automatic payments set up, update them with your new bank account information.
  • Check your credit report at annualcreditreport.com .
  • Contact your nearest motor vehicles branch to report a lost or stolen driver’s license. The state might flag your license number in case someone else tries to use it, or they might suggest that you apply for a duplicate.
  • Check your credit report at annualcreditreport.com .
  • Request a credit freeze for your child — if this service is available in your state . A credit freeze will make it difficult for someone to use your child’s information to open accounts. To place a freeze, follow the specific instructions for each credit bureau:
    • Equifax
    • Experian
    • Transunion
  • No matter what state you live in, you can check to see if your child has a credit report. Each bureau has specific instructions for these requests:
    • Equifax
    • Experian
    • Transunion
  • If a credit bureau has a credit report for your child, the credit bureau will send you a copy of the report. Use the instructions provided with the credit report to remove fraudulent accounts.
  • Review the FTC's information on Child Identity Theft .