What to do if your data is part of a major breach

By Michael Lloyd

You pay for goods and services daily with the knowledge that the company you're paying is likely storing some of your information somewhere, but you may not have considered that it might be unsafe -- until it wasn't.

In many cases, the information obtained in cyberattacks and data leaks won't contain enough detail to allow hackers direct access to your bank or credit card accounts. Most companies store account information in redacted form on their databases, blanking out key portions of customers' card and account numbers. However, cybercriminals will look to use the information they steal in other ways.

For instance, much of the data accessed in these types of attacks and leaks makes its way into marketplaces on the so-called dark web, meaning you can't just Google them. But fraudsters looking to target vulnerable people know how to find these marketplaces, and they go there to shop for data. steps-after-breach

If you suspect your personal details may have been accessed in a breach, you'll need to take action to protect yourself.

1. Inform your bank or credit card issuer.
If you suspect any of your banking or credit card information may have been accessed in a cyberattack or leak, contact your bank or card issuer.

"Pre-emptive action is important," Simon Dukes, chief executive of fraud prevention service Cifas, said in an emailed response to questions. "If you are a victim of a data breach then you should tell your bank or card issuers that your details have been compromised."

They may decide to monitor your accounts for suspicious activity. Doing this may also work in your favour if anyone accesses your accounts fraudulently, as you'll be able to say you've taken steps to protect yourself, letting you off the hook for liability.

2. Be on the alert for vishing and phishing attacks.
Scammers are increasingly using hacked data in vishing attacks, in which they call potential victims and pretend to be from the compromised company. These vishers are convincing, and often gain information that allows them access to victims' bank or credit card accounts. Alternatively, thieves may persuade targets to grant remote access to their computer, exposing online banking facilities and other valuable personal information.

Never grant remote access to any of your devices or disclose your PIN, online passwords or card details to a cold caller, regardless of how much information they seem to have about you or your relationship with the company from which they claim to be calling.  

"Fraudsters can sound very plausible in the wake of a breach, but it's important to understand that no legitimate organisation will ever ask you to do this," Dukes said. "Also, if you willingly divulge information or transfer money to a fraudster, then you may be liable for losses that occur as a result. Be alert, be cautious, be prepared. And if you have elderly or vulnerable friends or relatives who have been affected by a data breach, make sure they are prepared, too."

Hackers might also send you emails or text messages (called phishing and smishing, respectively) that purport to be from the hacked company, asking you to click a link and update your personal information. Cybercriminals can then use the details you enter -- along with any other information they already have about you -- to access your accounts. Clicking links may also download malware onto your device, which criminals can use to harvest your personal information.

If you receive any suspicious phone calls, emails or text messages, call the company using the number on the back of your card or on the company's official website.  

3. Change your passwords.
Move quickly to change passwords on any hacked accounts. If you use the same login details for any other accounts, change them there, too. Hackers know that many people use the same password across all their accounts, and may try to access any accounts they can.

The government's Cyber Streetwise campaign advises using three random words for your passwords. You can also choose a phrase, then use the first letter of each word in the phrase as your password. For example, "The quick brown fox jumps over the lazy dog" becomes "Tqbfjotld". Make it even more secure by adding numbers and symbols, or capitalizing certain characters.  

You should not be using the same password for all your accounts, so if you do, consider changing your login credentials, regardless of whether or not you suspect your data was compromised. 

4. Monitor your accounts and credit record.
In addition to keeping your own eye on your accounts for fraudulent activity, consider signing up for credit record monitoring services. These will alert you if anyone tries to make credit applications in your name, and offer some protection if hackers attempt to steal your identity. All of the credit reference agencies offer these types of services, and many companies that are victim to a data breach will offer customers a year's worth of free credit monitoring.

5. Jump ship.
If a company you do business with has failed to keep your data safe, you might want to reconsider your relationship with it. Contact the firm in question to find out if it will allow you to terminate your contract. However, some companies may charge a fee if you terminate a contract before it's over.

See related: Beware fake social media customer service accounts, Victims of fraud not liable for thief's charges -- usually, 10 tech-savvy ways to protect yourself from online fraud

Updated: 14 June 2017