1. You’ve Been Hacked!
What to do when your personal information has been compromised
Paul T. Yoder, Information Systems Security Specialist

2. Background And General Timeline
The sequence of events for a data breach goes something like this:
System(s) compromised
Data is stolen
Dwell time (the time between the compromise and discovery of the compromise) can be many months
The current industry average is about 6 months!
Data is sold on the Dark Web (tor network)
A hacker or group buys the stolen data
A fraud campaign is started
The whole process can range from days to many months, so you may have a window of opportunity to take some proactive steps (assuming the business discovers the breach and provides breach disclosure in a timely manner)

3. Post Breach To Do List
Alert the fraud department at one of the credit bureaus that your data was stolen. If you alert one bureau the other 2 are automatically notified. This will place a fraud alert on your credit report for 90 days alerting any businesses looking to grant credit to anyone using your information. You will then be contacted for verification.
Equifax Fraud Department Call Visit
Experian Fraud Department Call Visit
TransUnion Fraud Department Call Visit

4. Post Breach To Do List
File a report with local police and/or Federal agencies
A police report can be helpful in establishing that fraud did actually occur and that you are not just making this up to get out of paying your debts
You can also contact your local FBI office, the U.S. Secret Service, and the Internet Crime Complaint Center depending on the type of cyber crime committed:
property-crime
Request a copy of your credit report
Victims of identity theft are entitled to a free credit report
Wait about 1 month after you have noticed fraudulent activity on your account(s) to do this
Look for any requested changes to your personal info, accounts you didn’t open, inquiries from companies you didn’t contact for credit, and balances on your credit accounts that should be lower or have a zero balance

5. Post Breach To Do List
If you used the password to the compromised account on any other accounts, change all of them!
Even though a lot of businesses that store account-holder data use hashed & salted encrypted password fields, it’s better to be safe than sorry
Some “experts” have suggested that once one account has been compromised that you should request new cards for all your accounts
I personally don’t think this is practical, especially because you’re still going to have to buy gas, groceries, etc. (unless you’re OK with only spending cash while waiting for all your new cards to arrive)

6. Post Breach To Do List
Do these things even if you haven’t been compromised!
Begin shredding documents that contain your personal information
Dumpster-diving is still an effective method practiced by data thieves
Subscribe to a credit-monitoring service (i.e. Life-Lock)
A business that has had customer data stolen should offer this service to it’s customers for free as part of it’s PCI-DSS compliance obligations after a public breach disclosure
Don’t use your checking/savings account-linked debit card for purchases
A breach on one of these debit accounts can drain your entire bank account
Use credit cards for purchases instead (Visa/MC/Discover/Amex)
Setup purchase activity alerts on all of your debit & credit accounts
Most banks & credit card companies offer this service
If they don’t offer transaction alerts, then check your accounts manually every week