Overcoming Data-Breach Fatigue
It's easy to feel overwhelmed by data leak notifications and fraud alerts, but it's important to stay vigilant. Take these proactive steps to protect information.
Another day, another notification.
More than one billion personal records were potentially exposed in an alleged cyberattack against background check company National Public Data. Other 2024 breaches include AT&T, Ticketmaster and the Centers for Medicare & Medicaid Services.
If you've received a letter saying your personal data may have been compromised, you're not alone. An estimated 12% of the U.S. population was notified of their information's involvement in a data breach in 2021, according to a January 2024 Bureau of Justice Statistics report.
After receiving frequent notices about security breaches, it's easy to become complacent. But complacency can make it easier for fraudsters to steal your data, your identity and your money.
For example, stolen data can make its way onto the dark web, a network of hidden internet sites where information is resold or accessed for reuse — such as fraudulent credit applications or tax returns for fraudulent refunds.
The first and best thing to do? Don't ignore the notification.
"Take the notice seriously, stay informed and take appropriate actions, but don't panic," said Sean Murphy, SVP and Chief Information Security Officer at BECU.
Sometimes, a database may have been accessed but your information wasn't involved. And if it was involved, sometimes the information may not be usable for fraud or identity theft. For example, expired IDs, old addresses or names or a password associated with a decades-old, throwaway AOL account might not be of much use to a hacker.
Murphy said there's still good reason to be diligent, as some information doesn't change long-term, such as your birthday or social security number. Taking precautions and using secure online identity-sharing practices can also help prevent your data from being compromised.
"Often the best medicine is preventive medicine," Murphy said.
How to Respond to a Breach
"If you've been notified you were part of a breach, take a breath and focus on learning more about what happened and how it might affect you," Murphy said.
Read the notice to find out what was accessed and if anything is usable by fraudulent actors. In the ensuing months, you'll need to take some steps regarding your credit, including checking bank statements and bills for anomalies resulting from potentially stolen information.
Commonly accessed information may include your:
- Name
- Social Security Number
- Date of birth
- Mailing address
- Account number or other identifying numbers
- Passwords and login information such as a PIN
"Be attentive to who you share information with and how they say they will use and protect it, and take precautions to prevent issues," Murphy said.
Watch out for excessive information requests, too. Understand any information requests and review the business's terms and conditions to determine how the business shares your information. Limit the information you share with a company, especially for items like coupons or savings.
Monitoring, Alerts and Freezes
One of the early steps you can take to limit potential damage from a data breach is to start monitoring your credit reports at the three credit reporting bureaus (Equifax, Experian and TransUnion). You can also set up fraud alerts or credit freezes with the bureaus.
An alert requires creditors to call you to verify your identity before offering credit. In contrast, a freeze effectively stops anyone from opening new accounts in your name. If you want to apply for a card or loan, you must unfreeze your credit first. Alerts and freezes can last one to seven years, and both are free.
Banks and credit unions also typically offer free fraud protection notifications if abnormal activity is observed — whether you're using your credit card in a new country or a retailer where you don't usually shop. Some sites, such as Credit Karma, offer monitoring services for the three major credit bureaus, as do some financial institutions.
You can also set up notifications at the three credit bureaus, which will inform you if someone attempts to get credit or rent an apartment using your identity. You'll be able to approve or reject requests.
Some fee-based programs and insurance policies offer more active monitoring of your information. For example, the Experian CreditWorks Premium program costs almost $25 per month and offers real-time credit alerts at three bureaus and provides up to $1 million in identity theft insurance.
Identity theft insurance plans assist with restoring credit and correcting information. Insurance policies don't typically cut you a check for lost amounts. Instead, the policy covers costs related to reclaiming your identity and offers some services.
These might include:
- Legal fee reimbursement
- Phone calls and photocopy reimbursement
- Case manager to help resolve your situation
- Online data protection software
- Automated identity theft monitoring
- Transaction notifications
- Mail reimbursement
- Fraud alerts
DIY Protection
If the steps to recover your identity seem overwhelming, a fee-based service might be appealing. But Murphy suggested a hands-on, do-it-yourself approach to protecting your personal data could save you money on services and help you keep track of what's going on with your accounts.
"Most programs offering identity monitoring and theft protection may only be marginally better than what you can do for free by ordering your credit report and reviewing your history, then setting up credit freezes and notifications," Murphy said.
Yet, if you struggle with the numerous steps to set up credit management and monitoring, these monthly or annual programs may help streamline the process.
Finally, if you note suspicious charges, report those charges immediately to your bank, credit union or credit card provider.
Fraud Alerts
Fraud alert text messages are also rising. These text messages might notify you that your card was used at a new location or check that you meant to spend more than $500, for example.
While you shouldn't blow off texts asking if you've just made a purchase in Canada or approve purchases without reviewing the information, you should still be cautious about how you respond to these messages.
Bad actors often abuse text messages using fraudulent information and hyperlinks to spoofed websites (websites that pretend to be your bank or another trusted institution).
Instead of clicking on links or calling back numbers sent to you in text messages, look up phone numbers and websites and contact the business direction to find out what's going on.
"Pay attention to your 'Spidey senses,'" Murphy said. "If something doesn't seem right, it's better to use caution and ask questions."
Fraudulent activity may be an effort to override your "Spidey senses" by creating a sense of urgency, instill fear or suggest you're missing out, whether pretending to act as law enforcement or your bank.
However, although alerts are going up, fraudulent credit card use has decreased in the past several years, thanks partly to AI. The alerts seem to be helping.
"There's a lot of fatigue around text messages, so we try to be careful about how we communicate and educate our members," Murphy said of BECU's efforts.
Improve your Password Protection
To help head off future issues where you can, don't reuse passwords and practice good password hygiene. Your iPhone's strong password generator, Face ID and biometric information "provide a lot of protection right at your fingertips," Murphy said.
Murphy recommended storing passwords off your iPhone using an app-based password keeper such as 1Password, KeePass or OneDrive Personal Vault. Storing your password in your native browser (such as Chrome, Edge or Safari) is better than doing nothing or reusing the same login and password across your credit union, Netflix and LinkedIn accounts.
As a best practice, use 16-character passwords with phrases or an old-fashioned mix of uppercase and lowercase characters and numbers.
"The time it takes to crack those can take centuries, and some have even estimated a billion years, depending on the complexity," Murphy said.
He says the National Institute of Science and Technology (NIST) no longer recommends requiring users to regularly change their passwords. "Password expiration policies often cause users to engage in insecure practices like writing down their passwords," he says.
"Instead, organizations should require a password change only when there is a good reason, such as account compromise. In short, use best practices following industry benchmarks."
Much like keeping your home or apartment in good working order, identity and credit security requires both consistent maintenance and attention to new problems that arise. Just as you wouldn't ignore a newly leaking kitchen faucet — even if you thought you just fixed it — don't ignore data leaks, either.
The above article is intended to provide generalized financial information designed to educate a broad segment of the public; it does not give personalized financial, tax, investment, legal, or other business and professional advice. Before taking any action, you should always seek the assistance of a professional who knows your particular situation when making financial, legal, tax, investment, or any other business and professional decisions that affect you and/or your business.