Once More into the Breach
Funnily enough, the PSN breach was far from a worst case scenario. The breach was reported, a few days late, but it was reported in time and steps were taken to analyze the loss and inform major credit cards of the danger. There have been cases of websites simply losing information and never declaring it, based on the idea that the users may never put it together.
If you have reason to believe that your personal information has been lost, or you have been notified of a loss, then there are a number of steps to take to protect yourself.
Understanding the Breach
Start by getting as good of an understanding of the breach as you can. Was it a straight smash-and-grab breach? Were the servers hacked and monitored for days? How many accounts were compromised? All of these questions will be vital for deciding your course of action.
On the same note, this should serve as a bit of a calming mechanism. Don't panic! Just take control of the situation, pull what you can together from news sites, posts and press releases, and make a list of what you can do, such as…
Learn What You Lost
There are a few levels of this. You need to first see whether you actually lost anything important. In the wake of the PSN breach, I saw a number of people panicking over losing information that was actually public knowledge. On the flip side, you need to note things that could be serious.
First, know what the lost information actually means. It's not good that your name and address are known by an unscrupulous person, but it's not a disaster. Someone can get that from any number of public databases, or even simple people searches online. Birth dates and similar little facts are a little worse, but also not serious cases.
Phone numbers and email addresses are a step above, since you could be under threat of phishing and you'll probably be put on a few marketing lists, but that's easily handled. The only real danger is that if they have your information and a means of contacting you, then they're in a good place to trick you into giving away information that is actually important. For example, a major concern after the PSN breach was that "PS3 support" might start sending out emails requesting credit card numbers or other important account information "for your safety."
Passwords and secret questions are probably the biggest threat online, depending on your password practices. We'll cover that in a second though.
Credit cards, social security numbers or your mother's maiden name are at the height of the list. You'll need to be ready to spring into action to handle this kind of breach. That will also be covered in a second.
The Collateral Damage – Your Passwords and Online Identity
One of the biggest realistic threats for people after a breach is collateral damage. A disappointing number of people use the exact same password for everything. Since a number of websites don't take your credit card information or any other vital information, a breach can seem minor. Except, the hacker will likely have the email address that you used on the site and a password. Please make sure that your password is not shared.
This is actually one of the most important parts. If you have a shared password, you'll need to go through your list of important sites and start changing passwords. If someone has your email address and the password for your email, then they can control everything you use online. Even if you use separate passwords for your shopping and banking, they can just use the lost password function to have a new one sent to your email address, if they have control over it.
Go through all of the big sites, especially anything that could be related. Check Amazon, iTunes, PayPal, banking sites, any major shopping site, forums, Facebook, Twitter, etc. If you have to do so, you can do a search of your email address for “billing” or “account information” to track down extra accounts tied to email.
If you need help keeping track of all these passwords you're creating, I strongly suggest using something like KeePass. This database lets you just come up with one very strong password to protect a list of many other passwords. You can just press a button to generate a random long password, and the copy and paste it as necessary.
Note that secret questions can fall under the same umbrella. If you use the same question, and they gained access to it, then it may be compromised on other sites. Adjust this as necessary to ensure that they can't use the "lost password" option to get access to your account.
Handling the Credit Card Mess
This is fairly standard. As a rule, it's better to be proactive. If you're fairly sure that your credit card number has been lost or compromised, then you may want to be safe and call your credit card company's fraud line to report the loss. Note that you don't necessarily have to panic. Good stores will have the numbers encrypted, and they won't store the security number on the back. A smash-and-grab hack won't find it. They might be able to have a replacement card sent to them though, so there's still a risk
Your company should be able to cancel that number and issue a new card within a week. One major consideration may be how much longer you have until your card expires. If your card is expiring soon, you may choose to just go ahead and get a new one early, or just wait until it dies normally. A card with a long life ahead of it bears more risk in the long term, since fraud can potentially occur after a few months. If you don't want to keep monitoring, you can just kill it now.
Fraud Alerts and You
If you're concerned that they managed to get vital credit information (such as your social security number), then you will need to consider a fraud alert.
This actually isn't that hard anymore. Experian offers a web form to do this, but you can call any of the three credit bureaus and issue one too. It will last for 90 days and require your express permission for any credit requests made in that time. Note that this is a free service, and that they will automatically forward it to the other bureaus. You don't have to purchase any of the extra monitoring that they offer, unless you decide that you want it.
You can also look into putting a general hold on your account. This will prevent anyone from pulling your credit report, until you pay to have the hold removed.
Finally, you may want to just look into some good credit practices. Keep reviewing your credit cards every few days for fraudulent purchases. You can also get a free credit report once a year from each of the three agencies. If you space these out every 4 months, you can have good coverage at no cost.
Overall, these steps should be enough to protect you. If you analyze the damage done, limit the alternative means of fraud and lock down the options to exploit your credit, then you will be in good shape to weather the storm. Note that this isn't an Internet only phenomenon. It's just as easy for a waiter or cashier to write down your credit card number. The risk is out there in both the real world and online. Basic monitoring will do wonders to mitigate it though.
Experian Fraud Center with Link to Fraud Alert – https://www.experian.com/fraud/center.html