What Do I Do After a Data Breach?
Reading time: 5 minutes
As the world continues to complete more tasks, consume entertainment, and shop online, data breaches, or when your personal information has been compromised, are becoming more and more common. If you're one of the millions of people who have had their information stolen among the dozens of breaches over the past few years, it's important to understand what was taken and how you can help protect yourself from further attacks against your identity.
What is a data breach?
A data breach is a security incident in which your personal information, which could include everything from your name, email address to credit card number or Social Insurance Number, is stolen by cybercriminals. Cybercrime is a profitable industry for hackers seeking your identifiable information to sell on the dark web, compromise personal identities, or steal money. To that end, corporations and businesses are attractive targets for hackers because they can go after large amounts of data at a time. Learn more about identity theft here, and what you can do to combat it.
Types of information that could be stolen during a data breach
Per Canada’s federal private-sector privacy law, in the event of a data breach you will be informed of what has been stolen. The type of information that has been compromised falls into three categories, ranging from least to most sensitive.
1. Least sensitive
Your name and address
These are pretty easy to find regardless of a breach (remember flipping through a phone book to mail holiday cards and such?), and this will be predominantly used for sending unsolicited marketing emails and other nuisances.
2. Moderately sensitive
Email addresses, birth date, and card numbers such as the ones that can be found on your credit and debit cards
Stolen email addresses can warrant more spam and unsolicited marketing emails that can clog up your inbox. Stolen card numbers can result in fraudulent charges, but you’re generally protected by your credit card company and usually won't have to pay reported fraudulent charges. Your birth date can be used to verify your identity online because it never changes, and when coupled with additional information, could be dangerous if used by hackers. Learn more about how to protect yourself while online shopping here.
3. Most sensitive
Your Social Insurance Number, passwords to online accounts, financial account numbers, and payment card security codes that are generally found on the back of your card
If a hacker has your Social Insurance Number, they can pose as you, and you should immediately place a fraud alert on your Equifax credit file by calling 1-800-465-7166. Learn more about how to place a Fraud Alert here.
Access to passwords for online accounts, combined with your email address, can allow hackers to assume your identity and enter your accounts. Financial account numbers will allow the hacker to see your financial information and history and move money into an account, but usually not out of any accounts. If a hacker has access to your card security code, they can go shopping with your card online or over the phone.
What to do if your account is compromised
Least sensitive — change your password
If you’re notified that one of your online accounts has been compromised, change your password immediately. If you have the same password for multiple accounts, change those as well and make new, unique, and stronger passwords.
And, opt into two-factor authentication if offered — that way, even if the cybercriminal has your password, they'll be unable to log in without the code that was texted to your personal phone. Learn more about how to protect your personal information online here.
If you have difficulty remembering all of these unique passwords for various accounts, consider using a password manager that holds the passwords to all your accounts, so you only have to remember one. The downside to that is if your password manager is compromised, so are all of the accounts you use it for.
Moderately sensitive — notify your bank
If your card payment numbers have been stolen, notify the bank or company that issued the card immediately. Speak to a representative and explain that your card is at risk of fraud, and ask them to alert you of any suspicious activity on your account. You will most likely be issued a new card right away, and your old one will be cancelled. Learn more about what to do if your credit or debit card is lost or compromised.
Most sensitive — notify Equifax and TransUnion
Notify a credit reporting bureau (Equifax and TransUnion) that your credit has been compromised and issue a fraud alert. The difference between an Identity Alert and Fraud Warning is that a Fraud Warning is only available for confirmed victims of fraud or identity theft. A Fraud Warning will add a statement to your credit report for the next six years, encouraging lenders to call you before extending credit. A Fraud Warning must be placed through our Call Centre at 1-800-465-7166. Please have your SIN, address, and date of birth on hand. An Identity Alert can also be placed in the same manner, and the statement will stay on your Equifax® credit report for six years, encouraging lenders and creditors to call you before extending credit unless you request in writing for it to be removed.
Equifax offers a number of products that help protect you from identity theft, including credit monitoring. To learn more about how to get alerted of key changes to your Equifax® credit report, check out our line of identity theft and credit monitoring products here.
Where does the breached information go?
Data is like currency for hackers, and your personal information could end up in a variety of places. However, it typically falls into one of three categories:
1. It stays with the hacker
Sometimes the hacker holds onto the information, waiting for the opportune moment to use it. This could be so people forget their data has been compromised and will be less guarded or so the information can be used to plan follow-up attacks.
2. Shared publicly
Rather than safeguard the data, sometimes the hacker makes all the information public and searchable. This is more of a social statement than anything else, but your private information is now available to everyone.
How will I be informed of a data breach?
Canada's federal private-sector privacy law came into effect in November 2018, requiring organizations that hold your personal data to alert you of any security breaches that could lead to consumer risk. If your data is compromised, it could be used to harm your finances or reputation. Once the breach has been noted and assessed, the organization that has suffered the breach must contact you as soon as possible over email and telephone, and create public announcements to alert you in case they don't have your correct contact information. When the company contacts you, they should include a simple explanation of what has happened and how to protect yourself.
The notice from the affected company should include:
- What information of yours was compromised, and the extent the information is known
- What the organization has done to protect your information or reduce harm
- What you can do to reduce your own risk
- Who to contact at the organization for more information
Data breaches can be scary, but when armed with the right information and best practices for protecting yourself and your information, you can be proactively safe and ahead of any cybercriminals.