Hackers have stolen your ID in a data breach. Now what?

PERSONAL FINANCE

By Mike Hughlett

The Minnesota Star Tribune

Tracing identity theft to any particular data breach is difficult, said James Lee, chief operating officer of the Identity Theft Resource Center, a nonprofit group based in California. “But we do know that data breach information is the fuel for most identity theft crimes.”

Through the first half of 2024, the Identity Theft Resource Center tracked 1,571 U.S. data breaches — 13% higher than the first six months of 2023, a year that ended with a record number of hacks. Over 1 billion people had their data compromised in breaches through June.

Companies and governments often struggle for months to determine the nature and extent of a data breach. So, your stolen data could be available to fraudsters for a long time before you even know about it.

“Welcome to the new way of life, where no one is safe,” said Bob Doyle of Savage, who recently got two letters saying his data had been breached. “The long-held belief of being safe at home has been blown up.”

How to decipher your notice

A consumer’s data breach odyssey usually starts with a letter from a hacked company or an alert from a credit monitoring service. (The Identity Theft Resource Center, which assists victims and conducts research, has a primer on what to do when you get a notice. )

In a breach letter, companies are required by law to say what happened, why it happened and how consumers can protect themselves, said Michael Bruemmer, Experian’s head of global data breach resolution.

The letters often have contact information for Experian, Equifax and TransUnion, the three major U.S. credit bureaus. By law, consumers can get one free credit report annually from each of them.

Breach notifications are typically thin on how a hack occurred. And over the past three years, they have become thinner due to court decisions that encourage companies to report fewer details, Lee said.

With less information, consumers can have more difficulty demonstrating actual harm in a lawsuit over a breach. “Don’t give people a road map to sue you” is the way companies look at it, Lee said. (Still, federal courts are rife with data breach lawsuits.)

Breach letters typically give consumers phone numbers to call if they have questions. Experts recommend that data breach targets freeze their credit.

“A credit freeze is a very good solution,” Bruemmer said.

It’s free. And fraudsters can’t access credit profiles that are frozen.

There is a downside: Consumers must temporarily unfreeze their credit information if they want to borrow money.

Consumers also can ask credit bureaus to issue a “fraud alert,” which tells lenders to verify your identity before issuing credit.

Other tips from experts include changing account passwords, vigilantly monitoring your financial accounts for signs of suspicious activity and signing up for a credit monitoring service. You’ll usually have to pay for credit monitoring, though some hacked organizations will offer it for free over a certain amount of time.