Another Day, Another Security Breach: If You’re a Victim


By Gille Ann Rabbin, Esq., CIPP/US

Data security breaches occur all the time. Yahoo, Marriott, Equifax, Target, Sony, Heartland, Uber—and these are just the giant ones that make the headlines.

A breach typically occurs when digitally-held personal information like your credit card number, Social Security number, financial account or medical record is exposed. This can happen through loss or theft of a computer or flash drive, hacking, or unintentionally, for example, when a business sends an email intended for you to somebody else. A breach may result in criminals using your information to commit identity theft or selling it to other criminals on the dark web.

Last week, the media reported that Israeli security researchers discovered an unprotected database online containing personal data for over 80 million households. The victims are generally over 40 years old. The researchers have no idea who owns the database, and report it is “a goldmine for identity thieves” and other criminals, including those who want to target older, vulnerable people for phishing and other scams.

Some breaches are worse than others. Just because millions of records have been breached, does not make the breach bad. What matters is the risk of identity theft the breach poses for victims. 

State and federal laws require entities to notify breach victims by email, U.S. mail, telephone, or in certain circumstances, through the media. If you receive a breach notification, it is important to do what you can to protect yourself from further victimization.

A notice should state when the breach occurred, what data was affected, and provide contact information. Read the notice; verify that it is not a scam by checking the contact information with that of the breaching entity. If you have questions, contact the entity by a phone call you make or though its website by typing its URL into your browser. Don’t provide information to a caller claiming to be from the breaching entity, or in response to an email (or link within) purportedly from the breaching entity. These could be fraudulent.

It’s important to ascertain what the breaching entity is doing to help breach victims reduce the risk of identity theft. If free credit monitoring services are offered, strongly consider signing up. Credit monitoring can often pick up early signs of identity theft, allowing you to stop it sooner.

You should also close affected password-protected and financial accounts (bank, credit, debit cards) and set up new ones. If you get an email from any source, including the breaching entity requesting additional information about a compromised account or card, don’t reply. This could be a scam.

While many breaches don’t result in fraud, look out for signs of criminal activity. Check your credit card, bank, monthly bills or other financial statements regularly for transactions you did not make. Report signs of fraud to the financial institution. 

The law entitles you to a free annual credit report from each of the Big Three credit reporting agencies (Experian, Equifax, TransUnion). That’s one free report every four months. Check it and follow up on inaccuracies.

Finally, consider placing a Fraud Alert or Security Freeze on your credit report. These can make it more difficult or impossible for a criminal to commit identity theft with your breached information.