- If you learn that a company you have an account with has had a data breach, contact them as soon as possible.
- Change all affected passwords.
- When you create new passwords, make sure they’re strong and unique.
- If your accounts offer multifactor authentication, turn it on as an extra layer of security.
If a company you have an account with experiences a data breach, take the following steps to make sure your personal information is protected.
Contact your financial institutionIn a data breach involving private financial information, immediately contact your financial institution to mitigate further damages and begin a recovery process. The financial institution can assist in locking down compromised accounts.
Determine what was stolen
Determining which data and accounts are compromised is the first step in protection and recovery. While waiting to receive notification of a breach is an excellent last resort option, a more cautious approach is to utilize breach monitoring tools to regularly verify whether your usernames and passwords have been disclosed in a breach. Many popular password managers also include this service.
If sensitive information such as Social Security numbers or banking credentials have been compromised, consider contacting relevant financial institutions and credit-reporting bureaus. Consider signing up for a credit monitoring service for another layer of reassurance.
Change all affected passwordsIf it is determined that your account information has been disclosed in a breach, all related passwords must be immediately changed.
Below is a password checklist published by the Federal Trade Commission on keeping passwords secure (FTC 2021):
- Make sure your password is long and strong. That means at least 12 characters. Making a password longer is the easiest way to make it stronger. Consider using a passphrase of random words to make your password more memorable but avoid using frequently used words or phrases. Do not use passwords that are easily guessable by information found on social media. If your service does not allow long passwords, you can strengthen your password by mixing uppercase and lowercase letters, numbers, and symbols.
- Do not reuse passwords you have used on other accounts. Use different passwords for different accounts. This way, if a hacker gets your password for one account, they cannot use it to get into your other accounts.
- Use multifactor authentication when it is an option. Some accounts offer extra security by requiring something in addition to a password to log in to your account. This is called multifactor authentication. The “something extra” you need to log in to your account falls into two categories:
- Something you have—like a passcode you get via an authentication app or a security key
- Something you are—like a scan of your fingerprint, retina, or face.
- Consider a password manager. Most people have trouble keeping track of all their passwords. The more complicated a password is, the stronger it is, but a longer password can also be more challenging to remember. Consider storing your passwords and security questions in a reputable password manager. To find a respected password manager, search independent review sites, and talk to peers about those they use. Make sure to use a strong password to secure the information in your password manager.
- Pick security questions only if you know the answer. If a site asks you to answer security questions, avoid providing solutions available in public records or easily found online, like your zip code, birthplace, or your mother’s birth name, and do not use questions with a limited number of responses that attackers can easily guess—like the color of your first car. You can even use nonsense answers to make things more complicated—but if you do, make sure you can remember what you use.
- Change passwords quickly if there is a breach. If a company tells you there was a data breach where a hacker could have gotten your password, change the password you use with that company right away and any account with a similar password.
Content provided by KPMG.