What Should I Do If I Become the Victim of a Data Breach?

It happened without warning in the middle of another busy holiday shopping season.

On December 19, 2013, retail giant Target broke the news that a data breach had occurred at their stores between November 27 and December 15. Their initial estimate was that up to 40 million customer records had been compromised, pulling customer names, credit card numbers, expiration dates, card verification values, mailing addresses, and email addresses from nearly every debit and credit used at Target during the holiday shopping season.

Weeks later, they changed that estimate to 70 million.

In the wake of this debacle, Target is assuring all affected customers that they will cover any charges the identity thieves made on their payment cards. In addition, they're even giving customers free credit monitoring and identity theft protection services for a year.

The Target data breach of 2013 is only the latest of many large data breaches that have occurred in recent months, but it is a perfect illustration of how quickly, and unexpectedly, data breaches can hit you.

This article will help you understand what a data breach is, how to know if you've been a victim of a data breach, and what steps you can take if a data breach affects you.

What is a data breach?

When you first hear about a data breach in the news, you might be a little confused. What is a data breach, anyway? How does a data breach happen? Unless you're an IT professional, it might be a little difficult to understand how identity thieves could take your personal information from a company or the government just from their computers.

Wikipedia describes a data breach this way:

"A data breach is the intentional or unintentional release of secure information to an untrusted environment."

Usually, companies or government agencies keep your personal information securely stowed away in databases and computer files that can only be accessed by authorized personnel. This is where you hope your personal information will stay. But data breaches, intentional or accidental, take your personal information out of those safe, secure place and into the hands of identity thieves. Here are the most common ways they occur:

Computer Hackers

In many data breaches, Identity thieves use their computer savvy to find virtual back doors or loopholes in computer systems and grab as much information as they can before anyone notices. Often, these hackers are supported by organized crime or even governments.

Compromised Employees

Sadly, the source of a data breach is sometimes a person who actually works for the organization that's affected. A disgruntled employee might knowingly take files out of secure databases and give them to identity thieves, usually for a fee.

Clumsy Disposal

As organizations get rid of old files or equipment, they sometimes fail to remove all the important information from them prior to disposal. In these cases, dumpster-diving identity thieves sifting through the disposed items can find a treasure trove of personal information.

As you can probably tell at this point, data breaches happen largely outside of your (the customer's) reach. They happen largely between organizations and identity thieves. So what is an ordinary customer like you to do? The best thing you can do is know how to recognize it as quickly as possible.

How do I know if I've been the victim of a data breach?

Some data breaches can take weeks for companies to discover, as in the case of the 2013 Target data breach. But you want to know if you've been a victim of a data breach as soon as possible so you can take steps to protect your accounts. Here are some signs that you want to look for:

1. You might see unauthorized transactions on your payment cards. This is the first sign that you've been a victim of a data breach. But don't expect to see huge amounts to be taken out right away. Often, identity thieves will test out your account with small amounts-small enough that you might gloss over them if you weren't paying attention-before going big. Note: this doesn't guarantee that you've been hit by a data breach-it could just be your typical identity theft. But you want to be on alert and start locking down your accounts, regardless.
2. A company that you're customer or employee of announces they've had a data breach. Keep in mind, this isn't a sure sign that you were part of the data breach, but it does mean you're at risk.
3. You're informed by the company that your personal information was part of a data breach. After the Target data breach, emails were sent out to all the affected customers giving them directions on what to do next and assure them that the company was taking steps to remedy the problem. Most companies will do the same to save face and limit the damage that has been done.

What should I do if I've become a victim of a data breach?

If these signs rear their ugly heads, you need to know how to react. The good news is, since data breaches happened under the company's or government's watch, they usually take responsibility for any losses incurred and lead the charge in fixing the problem. Of course, you still want to watch your own back to protect your accounts. Here are the best steps to take once you know you've become a data breach victim:

1. Contact the company

The party that's really in charge of figuring out how to fix a data breach is the company or government branch that suffered the data breach in the first place. Reach out to them to figure out how extensive the damage was, what they're doing to repair it, and what you should do in the meantime.

2. Get the details

In order to start safeguarding your identity following a data breach, you need to know exactly what information thieves got their hands on. You might not need to worry so much if only got your name and mailing address. If they stole your SSN and credit card information, it's time to start calling the credit bureaus and file a police report. The company that suffered the data breach should be able to tell you this vital information.

3. Change your passwords right away

If the company tells you that your stolen information was encrypted and, therefore, safe inaccessible by the identity thieves, take it with a grain of salt. If you're password was less than eight characters long or used common words, there's a really good chance that thieves have already broken in. So, instead of blindly trusting the company, cover your rear by changing your affected password immediately. Make your new password one that you haven't used previously on other accounts.

4. Let your bank and credit card companies know

There are a number of really good reasons for doing this. First, by bringing your bank and other companies into the loop, they will understand that you haven't just gone off the reservation with your finances and can lock down your account against future attacks. Second, many banks and credit card companies will actually excuse you from any financial liability caused by data breaches. We can't stress enough here how important it is to talk to your bank immediately. When dealing with identity thieves, a few minutes can be the difference between losing a dollar or losing everything in your checking account.

5. File a police report

For your protection against excessive financial liability, you need to file a report with your local police department as soon as possible. This makes your status as an identity theft victim official. It also creates an official document for you to show the credit bureaus to lock down any activity around your identity.

6. Place a fraud alert on your name

With your police report in hand, call one of the three major national credit bureaus and request that a fraud alert be placed on your name. This way, if identity thieves try to do anything under your name, they will be alerted. For your convenience, here are the names and numbers of the three major credit bureaus:

• Transunion: (800) 680-7289
• Equifax: (800) 525-6285
• Experian: (888) 397-3742

7. Consider subscribing to an identity theft protection service

Once your personal information is in the possession of identity thieves, they will continue to keep trying to use it to break into your accounts. This can keep up for months after a data breach. For this reason, you might consider subscribing to an identity theft protection service like LifeLock or Trusted ID. These services will cost you anywhere between $9 and $20 per month, but they will flag any suspicious activity that occurs on your accounts.

8. Create an identity theft affidavit with the FTC

While you already have a police report in hand, you'll also want to contact the Federal Trade Commission to build an identity theft affidavit. This affidavit will help you assemble the facts about your case-when the identity theft happened, which accounts were affected, etc.-and get them dated, signed, and notarized. This provides a credible document that you can show to credit card companies, banks, and any other companies you need to in order the fix the damage caused by a data breach.

9. Document everything

Until your name is cleared, it is imperative that you record every communication you have. If you call Transunion to place fraud alert, make a record of that call. If identity thieves make a purchase using your bank account, write down when it happen and how much it was. You might choose to use a contact log or a calendar to accomplish this.

Fortunately, while a data breach is not your fault, it's good to know that companies will usually do all they can to minimize the damage to you and that there are steps you can take to protect your accounts. By acting immediately after, you can minimize or eliminate the negative impact of a data breach on your life.