News

‘The worst thing you can do' after a data breach, according to a cybersecurity expert

‘The worst thing you can do’ after a data breach, according to a cybersecurity expert
Oscar Wong | Moment | Getty Images

When you get an email or see a headline telling you there has been a data breach at a company you do business with, the natural instinct may be to roll your eyes and go about your day.

In the first half of 2024, more than a billion people saw their information leaked online as the result of a data breach, according to the Identity Theft Resource Center — a nearly 500% increase from the same period in 2023.

So if you feel like recent high-profile breaches at Ticketmaster and AT&T are drops in a very large bucket, no one would blame you. In fact, cybersecurity experts have a name for it: "breach fatigue."

"People might say, 'Oh, here's another one and stick it in the drawer and don't do anything,'" says Michael Bruemmer, head of global data breach resolution at Experian. "That's the worst thing you can do."

Following a breach, depending on which information was compromised, you may find yourself on the receiving end of targeted scams or picking up the pieces after identity thieves open lines of credit in your name. Here's how to protect yourself, and what to do if you're part of a breach.

Practice good online hygiene

Unless you're somehow operating off the grid, the odds are very high that a good chunk of your information is floating around on the web, cybersecurity experts say.

"I operate under the assumption that pretty much all my information is out there. And that's a pretty reasonable assumption," says Ed Skoudis, president at SANS Technology Institute.

Nevertheless, the more information that fraudsters can piece together about you, the higher risk you run of falling victim to scams and identity theft. Should a bad actor get ahold of your email address and password during a data breach, for instance, things can spiral further out of control, Skoudis says.

DON'T MISS: Achieve Financial Wellness: Be Happier, Wealthier & More Financially Secure 

"If you have the same password anywhere else, they can log in there as well," he says. "If they compromised your health-care provider, they can use more targeted attacks because now they know symptoms or diseases you suffer from. If it's a news site, now they know about your politics and what you like to read."

To keep your information as private as possible, practice these online hygiene tips from cybersecurity experts.

1. Use a password manager

Put the days of remembering a slew of passwords behind you, and sign up for a service that does it for you.

"A password manager is a really good thing," says Bruemmer. "You can store all your passwords in one spot with only having to remember one master password. And it also creates unique and complex passwords that you don't have to remember, automatically."

2. Avoid links from strangers

If you receive an email from someone not in your address book or a text from an unfamiliar number, avoid clicking on any link therein, says Bruemmer. If they claim to be representing a business, such as a package delivery service, navigate directly to that business' website.

Don't pick up for unfamiliar callers, either. Even if you hang up right away, you've alerted would-be fraudsters that yours is a working number. "It only takes a 10-second voice-print for them to be able to clone your voice and be able to deepfake that," says Bruemmer.

3. Skip QR codes when possible

It's as good a reason as any to ask for a paper menu, says Bruemmer. "No human being can tell a good QR code from one that's going to hack into your phone and install malware."

4. Always use credit online

If a fraudster gets hold of your payment credentials, you'll have a much easier time if you paid with a credit card, which comes with better fraud protections than your debit card.

"If it's a debit card, they can empty my account. And I got nothing," says Skoudis. "I can say, 'This is a fraudulent thing.' But I don't have the money until that whole fraud investigation is finished."

What to do in case of a breach

Even if you're careful, you still may receive word that a company you do business with has lost your information to hackers.

Here's what to do if and when that happens.

1. Don't bury your head in the sand

It's important to know what information of yours is out there. If you receive a notice of a breach in the mail or via email, it's essential to read it, says Bruemmer.

"It will tell you what happened, why it happened and how to protect yourself," he says.

2. Change your passwords

If you don't have a password manager yet, be sure to change your password for the site where the breach occurred and for any other where you might use the same password. Enter your email address at HaveIBeenPwned.com to see where your personal information may have been compromised.

3. Be vigilant

Following a breach, monitor your credit card statements for any fishy charges, even if the process seems tedious, says Skoudis. "Reviewing your financial statements sucks, but it's just one of those things we adults have to do."

Keep an eye on your credit score, too. Big changes in your score, available through many online bank and credit accounts, could indicate fraudulent financial activity, Skoudis says.

You'd also be wise to regularly request copies of your credit reports from Equifax, Experian and TransUnion. You can contact one of the agencies and ask that a free fraud alert be placed on your account.

4. Act quickly

If you do see something alarming on your credit history, like a new credit line in your name, time is of the essence, says Bruemmer.

"The most important thing is reaching out to the credit bureau and saying, 'Hey, I've seen this activity,'" he says. "And then let that fraud resolution agent guide you through the steps to be able to dispute that particular inquiry or new line of credit."

You'd also be wise to report any suspected identity theft to the Federal Trade Commission and to your local police department, who will issue you a police report.

"If you have any lost wages, you may have to make an insurance claim," says Bruemmer. "Whether it's identity theft protection or insurance, having that police report gives you the freedom to be able to say this is what happened and why it happened, and you're covered."

Want to stop worrying about money? Sign up for CNBC's new online course Achieve Financial Wellness: Be Happier, Wealthier & More Financially Secure. We'll teach you the psychology of money, how to manage your stress and create healthy habits, and simple ways to boost your savings, get out of debt and invest for the future. Start today and use code EARLYBIRD for an introductory discount of 30% off through Sept. 2, 2024.

Plus, sign up for CNBC Make It's newsletter to get tips and tricks for success at work, with money and in life.

Copyright CNBC
Contact Us