3 Steps to Take After Your Personal Information is Compromised
July 13, 2015
On the TechRoots blog, we consistently report on data breaches very similar to the latest update on the OPM breach that went undetected for almost a year and compromised over 21 million individual records. We were going to push out another report yet again but thought, what for? These attacks, while the exploitation methods may be different, all lead to the same result of a bunch of people being notified that their Social Security Numbers, financial data, email addresses and other personally identifiable information (PII) may be in the hands of hackers.
What Do I Do?
This is the question most people will ask themselves when they first receive notice that their PII is no longer private, but in the hands of a hacker who will most likely sell it off to be even further exploited. This is a question that is never clearly answered in the notice saying we screwed up and you lost your data because of it.
What do I do?
Step 1: Ensure the breach notice is real
You are already stressed about the fact that information has been supposedly stolen, but don’t let your initial emotions take control. Call the number on the letter or click the contact link in the email. Unfortunately criminals even take advantage of other criminals’ work and will often send phishing emails once a breach is reported to try and actually steal information that may or may not have been a part of the original compromise. The best advice is to go to the company’s official website and search for a notice of the breach. This will disclose the type of information that was in fact stolen and provide resources to potential victims.
Being cautious of all email links, especially those from financial institutions that do hold your PII, is just good practice and should be followed regularly if you’re not already doing it.
Step 2: Figure out what information was stolen
Reference the company’s website and official press release describing the breach to figure out exactly what types of data were compromised. Types typically include:
- Email address
- Social Security Number
- Credit or Debit cards
However, in the event of the OPM breach, we saw data related to educational history, employment history, addresses, relatives, and even past emotional disorders and drug abuse exposed.
Step 3: Take the necessary precautions for each data type compromised
Now that you know exactly what was taken, start making changes to prevent anyone from successfully leveraging your PII to their advantage.
If your password was compromised in the breach, then change your password. Hopefully you practice good cyber security and don’t use the same password for other accounts, but if that isn’t the case then go update your password for all the other sites it is used on as well.
If your email was compromised, practice the same caution described above when opening messages. Only open and click links in email that you know to be from legitimate sources and it’s always safer to verify the message with the sender using a different communication channel (different email message/address, phone, video chat, etc).
Social Security Number (SSN)
If your SSN was compromised, notify one of the three reporting agencies, Equifax, Experian or Trans Union (by law contacting one will require that company to reach out to the other two), and issue a fraud alert on your credit so that if someone were to try and have credit issued under your SSN, it will make the process more stringent in terms of verifying your PII.
Setting up credit monitoring is another good tip for handling a SSN theft and sometimes if the breach is substantial (as was the case with OPM) the organization may offer to pay for credit monitoring for those affected for a set period of time. Credit monitoring alerts you to suspicious activity a lot faster than if you were to monitor transactions yourself.
Credit and Debit Cards
Legally speaking, you would not be liable for any of the charges, so you could simply monitor your transactions and report any suspicious activity. However, we prefer to stay on the safe side and recommend getting new cards/pins completely. This provides a little extra piece of mind and won’t require constant vigilance over your credit and debit card transactions.
The Other Data Types
There are many actions you can take when you a credit card number or a password is stolen but when it’s data regarding your educational history and medical records, sadly there isn’t much you can do other than wait and see. The good news for education, is that for most people this information is already widely available through LinkedIn.
Medical records go for significantly more money on the black market because they can be leveraged to build a solid fake identity. Unlike a stolen credit card, a person simply can’t call and cancel their medical history. The other real downfall of a medical data breach is that it often goes undetected for long periods of time and is usually not identified until someone uses stolen medical information for fraudulent billing. Once those bills go to collections, then the victim is notified of the high charges.
If other people you know are affected, you can walk them through the steps above in order to remain vigilant about their PII and thwart potential uses of it. Especially if relatives affected are minors, ensure that fraud alert is set up for their social security numbers. Using the SSNs of children is popular among identity thieves because they often go unnoticed for several years.
Have You Ever Been the Victim of a Data Breach?
If you have ever had your identity stolen as a result of a data breach we would love to know your tips on how to deal. Reach out in the comments below with your suggestions!