Credit Card Insider is an independent, advertising supported website. Credit Card Insider receives compensation from some credit card issuers as advertisers. Advertiser relationships do not affect card ratings or our Editor’s Best Card Picks. Credit Card Insider has not reviewed all available credit card offers in the marketplace. Content is not provided or commissioned by any credit card issuers. Reasonable efforts are made to maintain accurate information, though all credit card information is presented without warranty. When you click on any ‘Apply Now’ button, the most up-to-date terms and conditions, rates, and fee information will be presented by the issuer. Credit Card Insider has partnered with CardRatings for our coverage of credit card products. Credit Card Insider and CardRatings may receive a commission from card issuers. A list of these issuers can be found on our Editorial Guidelines.
On average, a cyberattack occurs every 39 seconds and with a steady track record of mass digital data breaches since the first in 2004, hackers don’t seem to be slowing down. Although cyber criminals have a tendency to target larger companies, millions of customers can be placed in the line of fire by association.
For this reason, it’s important to be proactive in understanding data breaches and how you can take measures to protect yourself should you become involved in one.
A data breach is a cyberattack in which private information is accessed without authorization. Data breaches can occur within various organizations, from second-party retail stores and medical companies to third-party businesses like credit bureaus.
Data breaches are typically carried out in three separate steps: research, attack, and exfiltration.
Although the two are closely related, there is a distinct difference between a data breach and identity theft. A data breach can lead to identity theft. However, this is not definite. Just because there was a massive data breach involving your private information, it doesn’t mean your identity was or will be stolen.
So while a data breach means your private information is accessed and taken, it is not identity theft unless the attacker actually uses the stolen information to impersonate you.
There are various reasons as to why a data breach can occur.
Human error may also include using a weak password, sending sensitive information to the wrong recipient, or simply leaving a computer unlocked and unattended. In other cases, company servers have been left open and accessible to the public, ready and waiting for anyone to come along and take a look.
Although being involved in a data breach doesn’t necessarily mean your identity has been stolen, it’s important to know what types of information may be stolen and the impact a breach can have on you.
The types of information stolen may include:
Although a name and a date of birth may seem like insignificant information, with them hackers have the ability to deeply impact your life in a negative way. With the aforementioned data, a cyberattacker has the potential to steal your identity.
He or she can use the stolen breached data to impersonate you, like applying for credit or medical benefits, or filing for your tax return. Some of these crimes can destroy your credit, which can take loads of time (years, in many identity theft cases!) and stress to undo.
Recent dives into credit card security suggest that over 80% of active cards have already been compromised. This even applies to cards that haven’t been involved in data breaches, and places a strong importance on educating yourself to protect against identity theft.
In July of 2019, Capital One was involved in a massive breach in which a hacker gained access to over 100 million Capital One customers’ accounts and credit card applications. The hacker was identified shortly after the breach as a former Amazon employee. Capital One was using Amazon’s servers at the time in order to store all of the breached data. The hacker intended on using the stolen information to engage in “cryptojacking,” which is the process of mining cryptocurrency using some unwitting person’s computer.
Upon further investigation, Capital One claims that no account numbers or login credentials were compromised in the breach, and over 99% of SSNs were left untouched. The company vowed to contact those involved in the breach and extend free credit monitoring and identity protection services. It expects to incur between $100–$150 million in damages from the breach, including the additional support for compromised customers.
In May 2019, there was a security flaw in First American’s website, leading to a data breach that exposed nearly 885 million records. The exposed documents related to mortgage deals dating back to 2003. The documents included sensitive information like bank account numbers and statements, tax records, and SSNs.
Although First American restricted access to the database immediately upon being notified of the breach by Krebs, it is unsure if any hackers noticed the accessibility and stole information. The cause of this breach was simply a lack of security in the company’s website design. First American has since hired an external forensics firm to investigate the severity of the hack, and expects to offer victims free credit monitoring as support in the aftermath of the breach
In May 2019, the American Medical Collection Agency suffered a data breach that left the information of up to 12 million Quest Diagnostics patients vulnerable. The hacker gained access to financial information, SSNs, and medical data but not including lab results.
LabCorp was also affected by a breach suffered by the AMCA several days later. The medical testing company claimed that the compromised information for nearly 7.7 million customers did not include what types of tests were requested or the results of those tests.
Since the two breaches, the AMCA has conducted an internal review of its cybersecurity, which included taking down the web payments page that had been hacked. It has since moved its web payments page to a third-party site and hired an outside company to reevaluate its security system.
You probably won’t be surprised to hear that Facebook was hit with yet another major data breach in April of 2019.
In this recent breach, over 540 million Facebook user records were exposed on Amazon’s cloud computing service. It was suspected that two third-party developers, media company Cultura Colectiva and an app called At the Pool, posted the exposed records.
Cultura Colectiva exposed 146 gigabytes of user data, which included account names, IDs, and user behavior details like comments and reactions to posts.
At the Pool exposed plaintext passwords for 22,000 users in addition to user IDs, friends lists, photos, and location check-ins.
In November of 2018, Marriott International revealed that a breach of its Starwood guest reservation database had occurred, leaving the personal information of up to 500 million people vulnerable. The breach took place on September 8, 2018.
In March 2019, Marriott’s CEO Arne Sorenson further discussed the details of the breach. The specific information compromised included 383 million guest records, 18.5 million passport numbers, and 9.1 million payment card numbers.
In September of 2018, 30 million Facebook users were involved in one of the social network’s more notable breaches. Facebook reported that half of those users had sensitive info accessed, like usernames and recent search history, as well as profile information like race, religion, gender, relationship status, birthdate, and location. The other half only had names and contact details, like emails or phone numbers, exposed.
Since this data breach, Facebook has undergone in-depth investigation, and the results have been mostly disappointing. In early 2019, investigations found that the company had uploaded the email contacts of 1.5 million users without their consent.
When opening an account, Facebook requested users provide their email and password as a method of verification. Upon entering a password, the site began importing contacts without permission. The month prior to this second incident, the company admitted to storing passwords in a readable format within an internal storage system that could be accessed by employees.
Since the breaches, Facebook says it will be notifying all users involved, encouraging them to change passwords and turn on the two-factor authentication privacy tool. It will be taking measures to implement stronger encryption methods to keep login information more secure.
Between September 26 and October 12 of 2017, customer service operations company 7.ai experienced a data breach. The breach compromised the customer payment information of several of the company’s clients, including Sears and Delta.
Although Sears suspects fewer than 100,000 of its customers were made vulnerable, the credit card information of this group may have been compromised for online transactions that occurred between September 27 and October 12 of 2017. Sears claims purchases made with the company-branded credit cards (the Sears Card® and Shop Your Way Mastercard®) were not compromised. The company set up a hotline to assist customers who fell victim to the breach.
Delta concluded that a small number of individuals were affected by the breach. Payment card information may have been exposed during the period above, but Delta assured customers that passport, security, and frequent flyer data were not included. It set up a designated website for customers concerned about the breach.
In September of 2017, Equifax suffered a breach that left the personal information of 147 million people exposed. The credit reporting agency has since been involved in a global settlement case, settling on up to $425 million in assistance for those affected by the breach, which was decided in July of 2019.
Those affected by the breach are eligible to file a claim for the following:
Beginning in 2020, all U.S consumers will receive six free Equifax credit reports per year for up to seven years, in addition to the one free annual report already offered. This perk will be offered to everyone, even if you do not file a claim. Those who choose not to file a claim will also be eligible for a free identity restoration service for up to seven years.
In 2015, Experian also suffered a data breach in which one of its business units was hacked, exposing data associated with one of its clients: T-Mobile. The breach exposed the names, addresses, and license and passport numbers of nearly 15 million people.
Due to laws in all 50 states, a company is legally obligated to let you know if you’ve been involved in a data breach. Upon being alerted that your information has been made vulnerable, it’s important to be proactive in strengthening your defenses against potential repercussions of a data breach.
Sometimes cyberattackers will pose as the targeted company and reach out to those affected by the breach in order to phish for more data. Never respond with any private information to emails appearing to be from an affected company. Locate official contact information and reach out to the company directly to investigate the following:
Placing credit freezes on your credit reports can prevent a thief from using your information to commit credit-related identity theft. With freezes, however, you’re also preventing new lenders from checking your credit and opening new accounts in your name, until you use your provided PIN to lift the freeze.
Adding fraud alerts to your credit reports will tell lenders to proceed with extreme caution whenever they see a request to open a new account. Fraud alerts are ideal for those who want to add a layer of protection but not lock down their reports completely.
Contacting the IRS is especially important if your Social Security number was compromised in a breach. You may want to strongly consider filing your taxes early in order to prevent a fraudster from stealing your return.
If your credit or debit card number was involved in a breach, call the issuer to cancel the card and get a new one with a new number. This can prevent you from dealing with the consequences of fraudulent purchases down the line. In general, it’s a good practice to keep a close eye on your credit card statements to watch for unauthorized activity, and that’s especially true if you’ve been involved in a breach.
You may also be entitled to help offered from the affected company. However, it is important to read the legal terms associated with any reparations extended to you. Accepting assistance may waive your right to sue a company, which can prevent you from receiving help for any extensive damages that may occur due to the breach.
Nearly one in three breach victims become fraud victims in the same year. One of the best tactics for being proactive with protecting your identity is checking up on your credit reports (yes, all three of them).
If you can’t get on board with remembering to thoroughly check them on a monthly basis, then aim to monitor them quarterly. Looking at your reports frequently will help you stay on top of any meaningful changes that may warrant further investigation and action.
If you suspect that you are a victim of identity theft, file an identity theft report immediately. Once you’ve received your completed report, send it to each of the credit bureaus and request the removal of any unauthorized activity.
Consider filing a police report as well. This can prove helpful when attempting to dispute any fraudulent activity on your reports.
Reset and improve passwords belonging to all breached accounts. If you have other accounts that utilize similar or identical passwords, change those as well.
Another way to strengthen security is by taking advantage of fraud and identity theft alerts that may be offered by your credit card issuer. Both Capital One and Discover offer Social Security number alerts designed to monitor the dark web for any of your personal information, and alert you if any is found.
You can also receive notification of whether new credit accounts have been opened in your name — you should freeze your credit reports immediately if you find anything was opened fraudulently. While Discover’s SSN and account alerts are only available to its own cardholders, Capital One offers these tools to anyone. You’ll also get new account alerts with most credit monitoring services.
Although there have been many major breaches receiving significant news coverage throughout the past decade, the data breach isn’t a new threat to companies and consumers. Hackers may have expanded tactics for accessing private information and achieved new depths in the damage caused, but the threat of having a company’s information breached has loomed for some time.
Data breaches are closely associated with cybertheft, cybersecurity, and new technologies. However, data breaches didn’t always and still don’t have to involve digital records.
Before companies had the technology to store their information digitally, a breach could occur if someone were to simply look at restricted information he or she didn’t have permission to access (which can still happen with digital tech). It was this type of situation that sparked the rise in legislation such as HIPAA to help guide companies in concealing sensitive information.
But digital records do make massive data breaches quite a bit easier. One of the first major digital data breaches happened in 2004 when AOL was hacked, compromising over 30 million consumers and 90 million screen names as well as email accounts.
Experian released a 2019 forecast for the data breach industry, which outlined five predictions for data breach trends:
If you have become a victim of identity theft or credit card fraud as a result of a breach (or any other reason), educate yourself on immediate action you can take for disputing fraudulent credit card charges and slowing down damage brought on by having your identity stolen.
A data breach is when private information is accessed without authorization, and this type of cyberattack is on the rise. While there’s no way to stop yourself from becoming involved in a breach, you can take steps to prevent your information from being used against you.
Credit Card Insider receives compensation from advertisers whose products may be mentioned on this page. Advertiser relationships do not affect card evaluations. Advertising partners do not edit or endorse our editorial content. Content is accurate to the best of our knowledge when it's published. Learn more in our Editorial Guidelines.
Do you have a correction, tip, or suggestion for a new post? Contact us here.
The responses below are not provided or commissioned by bank advertisers. Responses have not been reviewed, approved or otherwise endorsed by bank advertisers. It is not the bank advertisers' responsibility to ensure all posts are accurate and/or questions are answered.