It’s always upsetting when you are notified by a business, whether it is a credit card issuer or a retailer, that your personal or financial information may have been stolen in a data breach. The recent incident at Target stores, one of the largest corporate breaches in recent years, affected millions of people.
“We want people to react, but not panic,” said Eva Velasquez, chief executive of the Identity Theft Resource Center, a nonprofit that provides free assistance to consumers.
After initially reporting that credit or debit card information from about 40 million shoppers was stolen from late November to mid-December in a hacking of Target’s in-store network, the company said in January that systems housing personal data on 70 million customers (with some overlap with the first group) also had been compromised.
Information on the second group, which includes people who may not have shopped at Target recently, included street addresses, telephone numbers, and e-mail addresses.
If you were in the group that received the first notification, you may already have been contacted by your bank and received a new debit card.
JPMorgan Chase replaced about 2 million debit cards as a result of the breach, which also involved the theft of encrypted PINs; Citibank said it would reissue all debit cards involved in the breach as well. Neither bank is broadly reissuing credit cards, although they will do so upon request.
Security consultants recommend that you monitor your financial accounts closely, preferably online, rather than waiting for periodic statements, and notify your bank of any suspicious charges.
What if you received the second notification, which involves personal information rather than financial data? This data, while “personally identifiable,” is less sensitive than, say, your Social Security number, which could potentially be used to open new accounts in your name, Velasquez said.
Still, it can help thieves target “phishing” attacks, in which you get e-mails that appear to be from a legitimate source, but which are really attempts to get you to divulge additional financial information.
Closing an affected e-mail account may be overkill, but “I would definitely change my e-mail password,” said Velasquez, since you are supposed to change passwords periodically, anyway. While it’s often easier to remember the same password for multiple websites, you should choose unique passwords for your bank account, she advised. “Don’t use the same password and PIN all over the place.”
She also advises that if you get an e-mail or a phone call alerting you to a data breach, don’t assume that the notification is legitimate and don’t use any contact information provided without verifying it first. Rather, search online for the company’s public phone number and call it yourself to confirm the notification is real.
It also cannot hurt, she said, to take Target up on its offer of a year of free credit monitoring, which can help alert you to suspicious activity by tracking inquiries about your credit report.
But John Ulzheimer, a consumer credit authority with Credit Sesame, said he considered the credit monitoring that Target was offering to be “woefully inadequate” because it covered only one of the three major credit bureaus.
A more proactive step is to put a “freeze” on your credit reports, which restricts access to your credit file and prevents the unauthorized opening of new accounts. You’ll have to remember to “thaw” the file, however, using a special code provided by the bureaus if you want to apply for credit.
Here are some other questions to consider, to help keep your information safe:
Q. How often should I check my financial accounts?
A. Bill Kowalski, director of operations for Rehmann Corporate Investigative Services, recommends checking your bank account online weekly at a minimum and preferably daily. Many people are online regularly to check e-mail or social media sites, so it doesn’t take much more time, he said.
If that seems unreasonable, Alphonse Pascual, senior security analyst at Javelin Strategy & Research, suggests taking advantage of automatic alerts that most banks offer to help flag possibly suspicious activity by sending texts or e-mails
Q. What if I used a debit card at Target during the holiday season, but my bank hasn’t replaced it?
A. Some big banks, including Bank of America, are closely monitoring accounts and replacing cards considered at risk, rather than reissuing them in a blanket fashion. But the bank will give you a new debit or credit card upon request, said Betty Riess, a spokeswoman. At the very least, you should contact your bank to change your debit card’s PIN. Target has said stolen PINs are not at risk because they were encrypted and the “key” to unlock the code is not stored on its systems. Still, “It would be a prudent thing to do to change the PIN,” said Pascual. “It’s easy to do and can give you extra peace of mind.”
Q. Is it safer to use a credit card or a debit card when shopping?
A. You may prefer debit cards to credit cards for routine purchases to avoid the temptation of running up debt. But credit cards generally offer stronger consumer fraud protections; in most cases, the most you will be liable for is $50.
With debit cards, you could potentially be liable for up to $500, or even the full amount of the fraud, if you delay too long in reporting it to your bank. And you could face delays before you get your cash back. “We recommend you use a credit card,” Velasquez said.