In September 2018, Facebook found itself on the receiving end of international outrage. Hackers had gained access to the confidential information of about 50 million of the social media behemoth’s users. The news broke less than six months after Facebook CEO Mark Zuckerberg was questioned before congressional committees over a controversial data-sharing incident. The negative publicity saw the company’s shares tank and new user signups decline in some of its key markets.
It was certainly a problem the company could have done without. But while the data breach was bad news for the business, it was certainly worse for the users whose personal information was disclosed. Typically, news coverage of data breaches focuses on the affected organization. The what, how, and why of the incident is fixated on the business. Yet, it’s the users whose privacy and security are at stake. So, what should you do if you find out that your personal information was exposed by a breach?
1. Confirm that your data was indeed exposed
Thanks to privacy regulations in some key jurisdictions, organizations are often required to notify affected customers as soon as possible after a breach occurs. Sometimes though, news of the breach first appears in hacker forums and then onto news sites before the enterprise has managed to put together the appropriate communication to its customers. More than a quarter of respondents in a RAND survey learned of a data breach (that potentially affected them) from the media. Less than 60 percent were actually informed by the company directly.
If you learn of a data breach affecting an organization with whom you have shared your personal data, the first thing to do is confirm you were affected. Get in touch with the institution. Preferably, engage with your regular point of contact at the company. This confirmation is important because a false data breach warning is the premise of many phishing scams. Fraudsters could send out a fraudulent warning and require you to share your password in the pretext of restoring integrity.
2. Determine what data was exposed
Your course of action after a breach depends on the nature of the data that was stolen. All personal information isn’t created equal. A criminal can do much more damage with your Social Security number than they can with your phone number. You, therefore, have to have a clear picture of what was exposed so you can take appropriate mitigating action.
Categorize the lost data into tiers of importance such as low risk, medium risk, and high risk. Low-risk information would include your name, phone number, and residential address. This data may be useful in the hands of nosy neighbors and pestering telemarketers but isn’t of sufficient value to cause more substantial problems.
Medium risk data comprises card numbers (credit or debit), dates of birth, and email addresses. These can be formidable weapons in the hands of an identity thief intent on phishing and fraud. High-risk data should attract the greatest attention. It includes social security numbers, enterprise application passwords, bank account numbers, credit card CVV security codes, passport numbers, and more. Cybercriminals can leverage this information to hijack an account, fraudulently shop for items online, and move cash.
The Social Security number is arguably the most sensitive of all since it’s extremely difficult to get a new number if the old one is captured by cybercriminals.
3. Ask for and accept help from the affected company
Once a data breach occurs, the reputation of the affected organization is on the line. Amid the sea of bad publicity that follows, the business has to go out of its way to minimize the damage on the brand and restore customer confidence. That’s why in the aftermath, the organization will almost always offer to assist affected users in various ways to reduce the likelihood of fraud.
Before you set out to fight your battles alone, find out if there’s some free assistance from the breached company. The help could take numerous forms including identity theft protection, credit file monitoring, account blocking, and information security training. Often, these are things that could take significant time and even money to do on your own.
So, take advantage of this aid so you can concentrate on the remedial actions you have to take on your own.
4. Change all affected and at-risk passwords
If your log-in credentials have been compromised, change your password immediately. In case you use the same password on other applications and websites, change these as well. Create new and strong passwords (see password management best practices).
Going forward, don’t use the same password on more than one account. That’ll reduce the risk if you ever find yourself in a similar predicament. One of the main reasons people use the same password everywhere is the difficulty of remembering multiple different passwords. A password manager would come in handy in this regard. With a password manager, you only have to remember one password while the manager does the rest. Of course, the downside is if the one password falls into the wrong hands, so are all the accounts you manage it with.
If any system you use has a provision for two-factor authentication as an additional layer of account security, use it. Anyone who gains access to your user ID and password will still not be able to sign in since they won’t have the auto-generated token sent to your mobile phone.
5. Get in touch with relevant financial service providers
Often, the greatest concern following a data breach is the risk of financial fraud. Even if cybercriminals didn’t steal your bank account or credit card number, it’s always prudent to assume the worst. Someone could try to use the information they gathered to transact on your credit card or bank account. Therefore, get in touch with your bank and credit card issuer as soon as you can. Notifying the bank is crucial as it determines whether your liability will be limited if the card is used fraudulently.
Don’t just contact them via email or social media as there’s usually a significant lag before you get a response. You should call and speak to an actual person where you can explain the issue and confirm that the appropriate action has been applied to your account. Financial service providers understand the danger and will be cooperative in canceling your card or tracking your bank account for unusual activity.
Card thieves have a relatively predictable MO and will want to exhaust a credit card limit in a couple of hours. They’ll target the weekend as that’s when banks are understaffed and therefore less equipped to pick up a suspicious transaction or act on a customer call to block the card.
6. Obtain a credit freeze
Get in touch with credit reporting bureaus and have them place a credit freeze on your name. That makes it harder for anyone who has stolen your financial credentials to open a financial account in your name. A freeze prevents anyone you haven’t previously transacted with from checking your credit score or opening an account with your name. You’ll also be notified if someone tries looking up your credit report.
In the United States, credit alerts or fraud alerts are free and renewable annually. Nevertheless, you want to get rid of a credit freeze as soon as it’s reasonably safe to do so. A freeze comes with unintended consequences such as complicating the process of applying for a mortgage or credit card, or switching television or cable providers.
What if fraud and identity theft do occur despite data breach remedial actions?
The measures we’ve outlined here will help you prevent fraud and identity theft. Nevertheless, despite your best efforts, fraud or identity theft could still occur. If that happens, you should immediately file a report with local law enforcement. This is crucial as it will be the basis for any dispute you raise in the future around the fraud. Depending on where you are, governments and regulators may also require you to file an identity theft report. Overall, make sure you document whatever corrective action you take as you may need the evidence in future.
Featured image: Shutterstock