Tracing identity theft to any particular data breach is difficult, said James Lee, chief operating officer of the Identity Theft Resource Center, a nonprofit group based in California. “But we do know that data breach information is the fuel for most identity theft crimes.”

Through the first half of 2024, the Identity Theft Resource Center tracked 1,571 U.S. data breaches — 13% higher than the first six months of 2023, a year that ended with a record number of hacks. Over 1 billion people had their data compromised in breaches through June.

Companies and governments often struggle for months to determine the nature and extent of a data breach. So, your stolen data could be available to fraudsters for a long time before you even know about it.

“Welcome to the new way of life, where no one is safe,” said Bob Doyle of Savage, who recently got two letters saying his data had been breached. “The long-held belief of being safe at home has been blown up.”

How to decipher your notice

A consumer’s data breach odyssey usually starts with a letter from a hacked company or an alert from a credit monitoring service. (The Identity Theft Resource Center, which assists victims and conducts research, has a primer on what to do when you get a notice. )

In a breach letter, companies are required by law to say what happened, why it happened and how consumers can protect themselves, said Michael Bruemmer, Experian’s head of global data breach resolution.

The letters often have contact information for Experian, Equifax and TransUnion, the three major U.S. credit bureaus. By law, consumers can get one free credit report annually from each of them.

Breach notifications are typically thin on how a hack occurred. And over the past three years, they have become thinner due to court decisions that encourage companies to report fewer details, Lee said.

With less information, consumers can have more difficulty demonstrating actual harm in a lawsuit over a breach. “Don’t give people a road map to sue you” is the way companies look at it, Lee said. (Still, federal courts are rife with data breach lawsuits.)

Breach letters typically give consumers phone numbers to call if they have questions. Experts recommend that data breach targets freeze their credit.

“A credit freeze is a very good solution,” Bruemmer said.

It’s free. And fraudsters can’t access credit profiles that are frozen.

There is a downside: Consumers must temporarily unfreeze their credit information if they want to borrow money.

Consumers also can ask credit bureaus to issue a “fraud alert,” which tells lenders to verify your identity before issuing credit.

Other tips from experts include changing account passwords, vigilantly monitoring your financial accounts for signs of suspicious activity and signing up for a credit monitoring service. You’ll usually have to pay for credit monitoring, though some hacked organizations will offer it for free over a certain amount of time.

Questioning the information

Doyle, a retired human resources consultant, got a letter in June saying his data — name, address, date of birth and health information — had been potentially exposed in a hack.

Shortly after, he got a notice from his credit monitoring service, Experian, indicating that his Social Security number and his email address had been found on the dark web. The letter Doyle got mentioned nothing about either.

The dark web is a part of the internet that’s not accessible through conventional browsers. You need special software to get there.

“The dark web is basically the bad guys’ bazaar,” said Experian’s Bruemmer. It’s an anonymous stretch of cyberspace where thieves traffic in stolen data and other illicit wares.

“Most of us have data out on the dark web,” Bruemmer said. “And if your data is on the dark web, there is nothing you can do to get it off the dark web.”

Take these steps

Even if your misappropriated data isn’t on the dark web, you’re not in the clear. Cybercriminals are increasingly using the traditional web, Lee said. Data breaches are “so pervasive, and there is so much information available, that they don’t need to hide.”

And data pirates are quite innovative. Some will cobble together bits and pieces of stolen data — one person’s Social Security number, another’s person’s driver’s license information and so on, Lee said.

“They can create a synthetic identity,” he said.

Identity fraudsters will commonly use stolen information — from wherever they get it — to create financial accounts in a person’s name without that person knowing about it, Lee said. Hence the importance of freezing your credit report.

“Freezing your credit is the only thing that can stop something bad from happening,” he said.

And remember, don’t just blow off a data breach letter like another piece of junk mail.

“If you receive a data breach notice,” Lee said, “you are more likely to become a victim of an identity crime.”