Defend your data after a breach

@Money September 7, 2011: 10:35 AM ET
Identity theft protection

(MONEY Magazine) -- Following a slew of corporate data breaches in recent months, you may have received a chagrined letter from a company with which you do business.

Sony, Citigroup, and Morgan Stanley Smith Barney are among the big-name firms that have reported that personal information about their customers -- which could be used to commit identity theft -- was accessed by hackers or otherwise compromised.


So far this year, the nonprofit Privacy Rights Clearinghouse has tracked 313 corporate breaches. These have involved nearly 23 million sensitive records, as compared with 12 million for the whole of 2010.

Federal law requires banks to inform customers of breaches; 46 states have laws mandating that other companies do the same, and big firms typically contact all customers regardless of residency, says Brian McGinley, senior vice president at Identity Theft 911, which advises businesses on security.

While the tone of such letters and e-mails is often reassuring, don't be lulled into a false sense of security: Just 4% of American adults are victims of ID theft, but for those who have been notified of a breach, the incidence jumps to 17%, reports Javelin Strategy & Research.

What action you should take to protect yourself depends on the type of data compromised, which is usually specified in the letter. If it was ...


Sony announced in April that passwords (along with other data) of more than 100 million gaming customers were obtained by hackers.

When a password has been exposed, experts recommend changing it immediately. If you use the same code for other accounts, change those too, making each one unique.


The main risk is that you'll be the target of phishing attempts, in which fraudsters pose as friends or companies you do business with to get you to reveal other data.

So watch your inbox for any message that requests information or asks you to click a link. "Call the supposed sender of any suspicious e-mail to see if they really did send it," says Jay Foley, of the nonprofit Identity Theft Resource Center.


In June, Citibank reported that 360,000 customers' credit card numbers were hacked. If you're notified of a similar breach, you could simply monitor the account online every day for suspicious activity; federal law limits your losses from fraud to $50.

But it's just as easy to call the creditor and ask for a new card with a new number, says Foley. (Citibank voluntarily reissued cards to affected customers.)


While banks generally cover losses from fraud, sorting out the situation and restoring the funds takes time. If only the debit card number was compromised, cancel the card and change your PIN; that will shut off access to the account.

Send The Help Desk your questions about identity theft.

But if the account number is exposed, close the account and get one with a new number. Also ask for a "verbal password" as an extra layer of protection.

When in use, bank personnel are prohibited from discussing your account unless the caller provides the password.


Morgan Stanley Smith Barney alerted customers in July that CD-ROMs with data on 34,000 clients went missing en route to a state tax office. (There's been no sign of illegal activity, but the company says it's watching affected accounts closely.)

Brokerages have generally covered losses due to unauthorized access, but customers need to be vigilant. When account numbers are leaked, close the account and get one with a new number; just transfer shares to the new account.


This is the most serious breach, since your SSN allows a fraudster to open new credit in your name. Act fast to request a fraud alert on your credit reports. This lets lenders know they should take extra steps to verify it's you before issuing credit.

Contact any of the three major credit bureaus (Experian, Equifax, and TransUnion) to have the alert placed on all three. It lasts 90 days, and can be renewed.

The toughest backstop is to ask the bureaus to set up a "security freeze," which prevents anyone from opening credit in your name.

The catch: To get new credit yourself, you must lift the freeze. And each time you enact or remove it you'll pay $5 to $10. If you've been a victim of ID theft, however, it's free -- and worth doing.


After a breach, you may be offered free credit monitoring, a service that alerts you to suspicious activity on your credit reports. Take it.

Not an option? You can buy this service for around $10 a month. Or be your own watchdog: You're entitled to one free credit report a year from each of the three bureaus through Request one every four months.  To top of page

Help! We need a makeover
Young dad, $15,000 in credit card debt
Readers' Choice

Carlos Rodriguez is trying to rid himself of $15,000 in credit card debt, while paying his mortgage and saving for his son's college education.

$400,000 portfolio, too many holdings
Readers' Choice

Susan Carson and Laura DeLallo make $225,000 and have half a million in retirement savings, but their sprawling portfolios is proving hard to manage.

Overnight Avg Rate Latest Change Last Week
30 yr fixed3.80%3.88%
15 yr fixed3.20%3.23%
5/1 ARM3.84%3.88%
30 yr refi3.82%3.93%
15 yr refi3.20%3.23%
Rate data provided
View rates in your area
Find personalized rates:
  • -->

    Most stock quote data provided by BATS. Market indices are shown in real time, except for the DJIA, which is delayed by two minutes. All times are ET. Disclaimer. Morningstar: © 2018 Morningstar, Inc. All Rights Reserved. Factset: FactSet Research Systems Inc. 2018. All rights reserved. Chicago Mercantile Association: Certain market data is the property of Chicago Mercantile Exchange Inc. and its licensors. All rights reserved. Dow Jones: The Dow Jones branded indices are proprietary to and are calculated, distributed and marketed by DJI Opco, a subsidiary of S&P Dow Jones Indices LLC and have been licensed for use to S&P Opco, LLC and CNN. Standard & Poor's and S&P are registered trademarks of Standard & Poor's Financial Services LLC and Dow Jones is a registered trademark of Dow Jones Trademark Holdings LLC. All content of the Dow Jones branded indices © S&P Dow Jones Indices LLC 2018 and/or its affiliates.