Data breaches occur when an organization’s systems are hacked by criminals – allowing criminals to gain access to the information on the systems. For example, a large supermarket chain could have its payment system hacked, or a hospital system could experience a hack of its patients’ medical records.

How to tell if you’re a victim of a data breach

There are federal and state laws requiring organizations to reveal to customers or members if their data is part of a breach. You could also find out by watching the news – the 2013 Target breach, for example, was widely publicized.

What should I do if I’m impacted by a data breach?

If you believe you were the victim of a data breach, here’s six steps to take immediately.

  1. Find out what information was compromised. While all data breaches may be scary, some types of data require more urgent action.

  2. Contact Patelco and get advice on securing your accounts – and it will be helpful if you know the type of information that was breached.

  3. Contact the 4 credit bureaus to set up either a fraud alert or a credit freeze. When a fraud alert is in effect, anyone who receives a credit application in your name should call you to verify your identity and confirm that you’re the one who really applied. With a credit freeze, creditors can't even access your credit reports – so it’s impossible for them to approve a credit application. (If you need to apply for credit during a freeze, it’s possible to temporarily lift the freeze.)

    Fraud alerts and credit freezes have to be put into place with each individual credit bureau. There may be a charge to add or remove alerts and freezes. Here’s the contact information for the 4 credit bureaus:

    • TransUnion 800.916.8800 transunion.com
    • EquiFax 888.548.7878 equifax.com
    • Experian 888.397.3742 experian.com
    • Innovis 800.540.2505
  4. Change your online banking User ID and Password at Patelco, and anywhere else you have login credentials. Once hackers have your sensitive personal information, they can often use it to figure out the password to your email or bank account – especially if it's something that includes your birthday or the name of a child or pet.

  5. Review your credit report and sign up for credit monitoring.

  6. If you’re not already signed up at Patelco and your other financial institutions, sign up for transaction alerts. Transaction alerts contact you by text message and/or email whenever there’s a charge or a transfer on your account. Set up the alert for the lowest transaction amount possible, because criminals will often test by making smaller charges before marking larger ones.

  7. Be on the alert for phishing scams. As noted above, criminals can use data from breaches to create more personalizing phishing attacks – which will be easier to fall for.

How common are data breaches?

Breaches have increased in frequency and scope over the last decade, including hitting very large, reputable retailers. In 2017, for example, Target paid an $18.5 million penalty to 47 states for a massive 2013 credit card breach where shoppers had their information compromised after shopping at their local Target store.

According to the Identity Theft Resource Center, nearly 2 million credit card and financial records are compromised annually, Additionally, the amount of stolen consumer financial data being sold on the dark web more than doubled between July 2017 and June 2018 compared to the previous year, according to the cybersecurity firm IntSights.

What do criminals do with the information from data breaches?

Unlike stealing cash or swiping cryptocurrency, data breaches don’t yield immediate money for criminals. But criminals are creative and know how to use data stolen in a breach to make money. Here’s five ways they do that.

1. Selling your data to other criminals

One way hackers profit from stolen data is selling it en masse to other criminals on the dark web. These collections can include millions of records of stolen data of many types, from medical data to financial records to Social Security numbers. The buyers can then use this data for their own varied criminal purposes.

2. Committing identity theft

Once hackers have your data from a breach, they can more easily target you directly to steal your identity. In a nutshell, identity theft is using a victim’s personal information to gain benefits at the victim’s expense — for example, opening a loan in the victim’s name and pocketing the money. Identity theft is easier for criminals once they have your name, address, and Social Security number.

2. Doing account takeovers

If a data breach includes usernames and passwords – or even personal information like birthdays and pet names that many people use for credentials – criminals may break into financial and shopping accounts to take them over. The hacker may change your password, so you may lose access to your account. Once the hacker has control of a shopping account, for example, they may order items for themselves, which will then be charged to you. Or if they gain access to your financial account, they may transfer the money out into their own account at another institution.

4. Conducting personalized phishing attacks

Once hackers have data from a breach, they can more easily target you with personalized phishing attacks. In a phishing attack, a criminal sends a fraudulent message designed to trick someone into revealing sensitive information or to install malicious software on their phone or computer. The more personalized a message, the more the victim is likely to fall for it – for instance, if a criminal learns your pet’s name and medications, they may create a phishing attack in the form of a fake email pretending to be from your vet. When you click on a link in the message – which may contain accurate information about your pet and their prescriptions – you could be installing malicious software on your computer.

5. Blackmailing and extorting victims

If data is of a very personal nature – such as healthcare data or data from a social media platform – criminals may even try to blackmail or extort victims, such as by threatening to reveal sensitive data unless a ransom is paid.