
The letter arrives with a corporate apology and a phrase designed to sound routine: “some of your personal information may have been involved in a security incident.” What it means in practice is that your name, and possibly your Social Security number, birth date, or passwords, may now be for sale to people who monetize exactly that. The company will offer a year of credit monitoring. Monitoring tells you about damage after it happens; the moves below prevent it.
Breach notices are common enough now that most adults will receive several in a lifetime, and the response is the same each time. What matters is the order of operations and the speed. Here are the five moves to make in the first day or two, in sequence, each one free.
1. Read the notice, then lock the account that leaked
Start by finding out what was actually exposed, because a leaked email address and a leaked Social Security number are different emergencies. The notice, or the company’s breach FAQ page, will say. Then change the password on the breached account immediately, and, more important, on any other account where you reused that password or a close cousin of it. Password reuse is how a minor breach at a shopping site becomes a takeover of your email.
While you are in the settings, turn on two-factor authentication for the breached account, your email, and your bank. Email deserves special priority: whoever controls your inbox can reset the password on nearly everything else you own.
2. Freeze your credit at all three bureaus
If the breach involved your Social Security number, this is the single highest-value move. A security freeze blocks lenders from pulling your credit file, which stops thieves from opening new cards or loans in your name, and federal law makes freezes free at all three bureaus. You contact Equifax, Experian, and TransUnion separately, online or by phone, and each gives you a PIN or account to lift the freeze temporarily whenever you legitimately apply for credit.
A freeze does not touch your existing accounts, your credit score, or your ability to use current cards. The only cost is a few minutes of unfreezing before you finance a car or open a new card, which is a fair trade for closing the door that identity thieves most want open.
3. Set a fraud alert as the quick companion
A fraud alert is the lighter-weight sibling of the freeze: it tells businesses to take reasonable steps to verify your identity before extending credit. One call does the whole job, because whichever bureau you notify must tell the other two. An initial alert lasts one year and is renewable. Some people use an alert while they get around to the freeze; the stronger posture is both, since the freeze blocks the file outright while the alert covers creditors who see your file some other way.
4. Pull your reports and start watching
Next, look at what is already in your credit files. Federal law entitles you to free reports through AnnualCreditReport.com, the official site authorized under the Fair Credit Reporting Act, and the three bureaus now make reports available free every week there. Read each report for accounts you do not recognize, hard inquiries you did not trigger, and addresses that are not yours. Then keep checking periodically, because stolen data is often warehoused and used months or years after the breach, well past the free monitoring window the company offered.
Watch your bank and card statements the same way, and treat small unfamiliar charges seriously; thieves often test a stolen number with a trivial purchase before a big one.
5. Close the tax and phishing side doors
Two doors remain that freezes do not cover. The first is tax refund fraud, where a thief files a fake return under your Social Security number and collects your refund. The IRS offers a free defense: an Identity Protection PIN, a six-digit code, changed yearly, that must accompany any return filed under your number. Any taxpayer can opt in, and after a Social Security number breach, any taxpayer should.
The second is the follow-up con. Breaches spawn phishing waves, including messages posing as the breached company offering help or “verification.” Real companies do not ask for your password or full Social Security number by email or text. The FTC’s phishing guidance is worth two minutes: the reliable move is never clicking the link in the message and instead going to the company’s site directly.
If you find actual misuse
Should any of this watching turn up a real problem, an account you did not open, a tax return already filed, charges you did not make, go straight to IdentityTheft.gov, the FTC’s recovery site. It generates a personal recovery plan, produces the official FTC Identity Theft Report you will need to dispute fraudulent accounts, and pre-fills the letters to bureaus and businesses. Victims who work from that plan spend hours on recovery instead of months.
The whole five-step sequence costs nothing and takes an evening. The company that lost your data will move on quickly; the freeze, the IP PIN, and the two-factor logins you set up this week are the parts of its apology that actually protect you.
Leave a Reply