In early 2020, Marriott and MGM Resorts joined the long and growing list of major companies affected by data breaches. The two hospitality behemoths have plenty of company, including retail giants such as Target (2013) and The Home Depot (2014), blue-chip insurers such as Anthem (2015), and financial firms such as Capital One (2019) and Equifax (2017). The breach at Equifax, one of the three major consumer credit reporting bureaus, was one of the worst, with some 143 million personal records compromised in the massive attack.
For Marriott, it was the second major data breach announced in less than two years’ time. The previous incident was far more serious, compromising more than 400 million guests’ credit card and passport numbers. But rewards program information was involved in the more recent breach, raising the specter of fraud and impersonation for affected guests.
No matter the circumstances or the precise nature of the breach, you should act swiftly if you have reason to believe you’re a potential victim of a corporate data breach. Stolen personal information may be used in identity theft, which can be surprisingly difficult to detect, particularly for the elderly, minor children, and adults with limited control over their personal data and finances.
If your data is part of a corporate breach, you may not necessarily be a victim of identity theft. But it does significantly increases your chances, especially if you don’t take decisive action soon after learning of the breach.
What to Do When You’re Part of a Data Breach (Or Suspect You Are)
If you have reason to believe your data was involved in a corporate data breach, such as the MGM/Marriott breach, here’s what you can do to mitigate the risk.
1. Determine Whether You’re Actually Affected
Sometimes, the affected organization sets up a dedicated website or hotline for members of the public to check their status. After disclosing its 2017 breach, Equifax did both. You can still use its website to check your exposure.
Other times, the affected organization notifies victims directly. According to CNBC, Capital One notified victims of its 2019 breach through multiple channels, likely to include emails and secure internal account messages.
You can also use the breach’s publicly known timeline and geography to determine your exposure. For instance, the Capital One breach included data from pretty much everyone who applied for credit with the company between 2005 and early 2019. You probably know off the top of your head whether that means you.
2. Determine the Extent of the Compromise
This may be trickier than determining your exposure. For instance, data stolen in the Capital One breach appeared to fall into three main buckets:
- Data typically included on credit card applications, such as names, dates of birth, home addresses, and self-reported income
- Social insurance data – Social Security numbers from U.S. customers and Social Insurance numbers from Canadian customers.
- Credit card data, including payment history, credit limits, credit scores, and account balances, but apparently not credit card numbers themselves
The alleged perpetrator accessed credit card application data from virtually all consumers affected by the breach. She accessed social insurance information from a smaller number of victims – about 1 million, mostly Canadian – and was only able to obtain fragmented transaction data from 23 days in 2016, 2017, and 2018.
In other words, if you applied for a Capital One credit product between 2005 and early 2019, you can assume that your application data was compromised. But unless you had an active Capital One credit card from 2016 to 2018, your transaction data is probably safe.
To know for sure, reach out to the affected organization through approved channels, such as Equifax’s breach lookup website. Although you can always call the organization’s regular customer service hotline or use its online chat function, so can anyone else. And in the wake of a major breach, even large organizations’ support teams are likely to be overwhelmed with inquiries.
Alternatively, wait for the affected organization to contact you directly as you work through the rest of this list. Don’t interpret ongoing silence to mean you’re in the clear; the organization may take some time to determine precisely who’s affected and how.
3. Pay Attention to Official Communications From the Compromised Organization
If the compromised organization pledges to notify customers affected by the breach, find out precisely how and when they’ll do so. Since it’s less vulnerable to compromise than email and less prone to abuse than phone calls, snail mail remains a popular means of breach notification. Financial institutions may also use secure internal account messages to notify customers.
Don’t trust intermediaries unless the compromised company says it’s OK to do so. Don’t speak to anyone who tries to contact you outside of an approved means of disclosure. If the organization promises to notify victims by snail mail, and someone calls you claiming to represent them, assume it’s a scam and hang up.
If and when you do receive official communications from the affected organization, pay close attention to them and act on any instructions you receive. For instance, after a breach that compromises payment card data, financial institutions commonly reissue cards with new numbers. Watch for yours in the mail and activate it promptly.
Official instructions from the compromised organization may overlap with some or all of the action items on this list – all the more reason to take them seriously.
4. Change Passwords for Any Affected Account
Change the password for any digital account you know or suspect to be compromised in the breach. If you use the same compromised password on other accounts not affected by the breach, change the passwords on those as well. Moving forward, avoid reusing passwords, use a secure password storage manager like 1password, and take the opportunity to review these tips to protect your personal information online.
5. Set Activity Alerts
If you know or suspect that the breach compromised your financial information, such as payment card or bank account numbers, set activity alerts on those accounts to monitor for unauthorized use. At a minimum, these alerts should cover attempted withdrawals and point-of-sale transactions, as well as attempts to access your accounts online.
Bear in mind that hackers don’t have to break into your bank’s mainframe to obtain your payment card information. Over 100 million Target shoppers lost payment card information in the retailer’s 2013 data breach, for instance – a breach that didn’t directly affect any financial institutions.
6. Request New Payment Card Numbers
Financial services companies generally distribute fresh payment cards when their customers are affected by breaches. But if your card data is involved in a third-party breach, such as the Target incident, you may need to be proactive.
Call the number on the back of the card and tell the rep you believe your account was compromised. You may need to explain the scenario and answer some boilerplate questions, like, “Was the card ever out of your possession?” Be truthful, but don’t overexplain. Your bank or card issuer doesn’t want to be on the hook for unauthorized transactions, so it’s likely to cancel and reissue your card with limited pushback. In most cases, you’ll need to wait to use the new number until the physical card arrives in the mail.
7. Enroll in a Free Credit Monitoring or Identity Theft Protection Service
It’s standard practice for organizations affected by data breaches to offer customers free limited-time enrollment in credit monitoring or identity theft protection services. Enrollment periods typically last at least one year, with no obligation to re-enroll at subscription prices. Some last longer; Equifax offered customers affected by its 2017 breach up to 10 years of free credit monitoring.
Since enrollment in these services is free and you’re not obligated to pay when the free period ends, there’s little downside to taking an organization up on its offer. It’s the least they can do.
8. Place Fraud Alerts
Place a fraud alert with each of the three major credit reporting bureaus: Experian, Equifax, and TransUnion. By law, a credit reporting bureau must contact the other two when it receives a fraud alert request, so you technically only need to place an alert with one bureau to secure protection for all three. If you don’t trust the process, however, you’re free to contact each bureau individually.
As long as your fraud alert remains in effect, prospective creditors must verify your identity before opening new credit lines in your name. When someone pulls your credit or tries to open a new credit line on your behalf, you’ll automatically receive an alert. That makes it far more difficult for identity thieves to exploit your good credit and rack up debt without your knowledge.
Fraud alerts are free to institute and maintain. They last for one year, and you can renew them at the end of each term.
9. Claim Your Free Credit Reports
This is something you should do anyway, regardless of whether you’re involved in a data breach. By law, you’re entitled to one free credit report per year from each of the three major credit reporting bureaus. You can get yours at AnnualCreditReport.com. Consider pulling one report per quarter to monitor your credit throughout the year, rather than pulling all three reports at once.
Scan your report for sudden or unexplained credit score declines and other evidence of possible identity theft, such as the appearance of a new credit line you didn’t open.
10. Consider Signing Up for Ongoing Monitoring or Protection
After taking full advantage of any free membership or trial offered by the compromised organization, weigh the pros and cons of paying for ongoing credit monitoring or identity theft protection.
If you simply want to keep tabs on your credit score, a free credit monitoring service such as Credit Sesame may be all you need. For more robust, comprehensive identity theft protection, consider a paid service such as IdentityGuard, which comes with features free services don’t offer, such as detailed risk management reports, tools for safer Web browsing, and dark web scanning.
11. Consider Using a Dark Web Scanning Service
There’s a good chance your information is somewhere on the dark web. The question is, what’s being done with it?
While a dark web scan isn’t comprehensive, it may reveal whether any of your personal data has fallen into the wrong hands or is in danger of doing so. You don’t have to pay for this knowledge; Experian offers a free one-time dark web scan, for instance. Some experts question the value of a dark web scan, according to AZ Central. But it’s almost certainly better than nothing, especially when you don’t have to pay for it.
12. Promptly Report Suspicious Account Activity
Remember: It’s not the data breach itself you have to worry about; it’s what happens next. Very often, that’s a series of concerted efforts to steal your identity. For instance, cybercriminals who’ve gotten their hands on customers’ email addresses might impersonate the compromised organization in sophisticated phishing emails asking for account numbers or login credentials. Or they may send you malicious links that infect your computer with malware.
Report any and all attempts to further compromise your data or finances to the affected organization. Companies sometimes set up dedicated abuse-reporting channels after major breaches. Capital One immediately created the email address firstname.lastname@example.org.
By the same token, if you discover any suspicious activity through a credit monitoring service, in your credit report, from a credit bureau fraud alert, or by reviewing your credit card statement, immediately report it to your bank or credit card issuer. If the suspicious activity involves a credit card, the issuer should promptly cancel and reissue the card.
Banks and credit unions generally have zero-liability fraud policies that reverse or refund unauthorized debit transactions. But you may be on the hook for a portion of the charges – up to $500 – if you wait longer than two business days to notify your bank. The Consumer Financial Protection Bureau has a more detailed description of your rights under the law.
To be clear, you don’t have to wait for news of a data breach to report suspicious activity on your accounts. Unauthorized account charges, sketchy communications from people who may or may not be associated with your financial institution, and other possible instances of fraudulent activity always warrant reporting. But you should be especially vigilant in the wake of a disclosed data breach.
13. Freeze Your Credit Report
If you have no plans to apply for credit soon, consider freezing your credit at each of the three major credit reporting bureaus. Like fraud alerts, credit freezes are free to apply and lift. However, bureaus don’t have to notify one another when you place a freeze, so you’ll need to contact each one directly.
While your credit is frozen, creditors can’t pull your credit report. That means you can’t open new credit card accounts, apply for a mortgage, or take out a personal loan – and neither can identity thieves.
The Federal Trade Commission has more information on how credit freezes work and how they differ from credit locks, which may carry monthly fees.
14. Watch for Signs That Your Identity Has Been Stolen
The risk of identity theft dramatically increases in the wake of a data breach. According to IdentityGuard, almost one in five notified data breach victims later suffer identity theft.
Learn to spot possible signs of identity theft, such as:
- Bills for services you never requested
- Being turned down or charged more for health insurance due to conditions you don’t have
- Insurance claims rejected due to recent claims you didn’t make
- No longer receiving important bills
- Unexpected change-of-address notifications from creditors or payees
- Unexpected bank account withdrawals or credit card charges
- Notification from the IRS that more than one tax return was filed in your name for the most recent tax year
- Two-factor authentication alerts (such as numeric codes sent by SMS) that you didn’t request
- Credit applications rejected due to poor credit
If you spot any of these signs, here’s what to do if you suspect you’re a victim of identity theft.
15. Claim Your Share of Any Breach Settlement
The terms of Equifax’s breach settlement required the bureau to provide up to 10 years of free credit monitoring or $125 cash to customers with existing credit monitoring coverage. That may not be enough to make anyone rich, but it’s a nice gesture nonetheless.
If a data breach leads to a class-action lawsuit, you may be entitled to damages as part of that class. Eligible class members often, but not always, receive official mailed notification of their eligibility. Those who join the lawsuit are bound by the terms of the eventual settlement, while those who opt out are free to pursue other legal remedies. If you think you may be in a class for which you haven’t received official notification, check a no-cost third-party resource such as Consumer Action.
In a news cycle accelerated by social media and push notifications and distorted by misinformation and outright fake news, keeping up with current events is an overwhelming task. But some of the breaking stories crossing your virtual desk today could affect your personal finances or well-being tomorrow.
It’s worth a few minutes of your time to pay attention to reports of a major data breach. If you’ve had any association with the compromised organization, however tenuous, it’s highly likely you’re affected.
If that’s the case, take action to mitigate the damage. Mounting an effective response to a corporate data breach is mostly a matter of diligence and vigilance, and it’s well worth the time to ensure your information is protected.