Caught Up in a Data Breach? Take These Steps ASAP to Stop Scammers from Stealing Your Identity

Data-breach notices are becoming all too common these days, aren’t they? Those tiny folded postcards and thin, ominous business envelopes—from your health insurance company, cellular provider, bank or even your gym—arrive at such a fast clip that you might be tempted to just toss ’em to the side with the junk mail.

Don’t. When it comes to data breaches, it’s an issue of when—not if—you’ll be impacted. According to the Identity Theft Resource Center (ITRC), nearly 80% of consumers received at least one data-breach notice in the past year, and many received several. If you’re tossing those cards in the recycling bin, it’s time to think twice about that. The ITRC calls this “breach fatigue” and urges people to take notices seriously.

What if someone got a credit card in your name and racked up a $25,000 bill in minutes? Or used your Social Security number to obtain medical care? It happens all the time. Just this past winter, a massive breach at a Washington-based benefits manager exposed the Social Security numbers of 2.7 million people. In 2024 alone, data-breach notices went out to 1.36 billion victims, according to the ITRC. In 2025, victim numbers were down but the total number of breaches went up—and they were serious: Social Security numbers were involved in two-thirds of incidents, and one-third involved either bank accounts or driver’s license numbers.

To get more information about these frightening data hacks, we talked to Sandra Glading, an online safety advocate at McAfee; Greg Oslan, chairman and CEO of the National Cyber Security Center; and David Trapp, CEO of ArmorPoint. Read on to learn what to look out for and how to stay safe from bad actors trying to steal your identity.

Get Reader’s Digest’s Read Up newsletter for more tech, travel, cleaning, humor and fun facts all week long.

What is a data breach?

A data breach happens when cybercriminals break into a company’s systems and steal personal information. “In the simplest terms,” Glading says, “it’s when your private data ends up in the wrong hands—often without you realizing it until later.”

What gets exposed can be basic, such as your name, email address or phone number. But it can also include more sensitive details, like your Social Security number, bank information or passwords. As Glading notes, “the more sensitive the data, the easier it is for someone to steal your identity or target you with convincing scams.”

Oslan adds: “A compromise of any of these independently is bad, but put together they can allow a bad actor to literally steal your life—your identity, your money or your personal information, including audio, video and pictures that are private.”

Just how common are data breaches?

All too common, unfortunately. According to the ITRC’s 2025 Annual Data Breach Report, 3,322 data compromises with more than 278 million victims were reported in the U.S. in 2025. That’s the highest total number of data breaches ever recorded and a 79% increase over the past five years.

Twenty years ago, data breaches were far less common, and Oslan says that even as recently as 2010, data was scarce because a full understanding of the threats was not yet available. The best information suggests around 600 breaches a year back then, he says, adding that scammers were less sophisticated and attacks more frequently targeted the government, the military and high-profile corporations.

“What changed is not just the number of incidents. It’s the scale and the economics behind them,” Trapp says, adding that the FBI reported $16.6 billion in cybercrime losses in 2024. “That tells you this is not some niche problem. It is a massive criminal economy, and ordinary consumers are in the path of it every day.”

How do you know if you’re a victim of a data breach?

In the United States, laws in all 50 states require private businesses to notify customers of data breaches involving personal information. If you’re a victim of a data breach, you’ll receive notice—in the mail, through email or through an identity-theft service if you’ve signed up for one. If it’s a large-scale data breach, you might even first hear about it in the news.

This sounds foolproof, right? Well, not exactly. “Unfortunately, you only receive a letter if it’s a major breach and it’s clear that your data has been compromised,” Oslan says. “This often takes months of research before you are notified, and by then, your data is already being exploited.”

It’s important to note that while data breaches are a serious concern, scammers love fear-based tactics—including sending out phony notices as a way to dupe you into providing info. If you receive a text message or email about a data breach and there’s a link for free credit monitoring or identity-theft protection or a number to call for more information, take a deep breath, don’t panic, and verify the information on the company’s official website before you click on any link.

What should you do after a data breach?

Act immediately. The experts we spoke with can’t overstate the urgency. “IBM’s 2025 Cost of a Data Breach Report found the average breach life cycle was 241 days, so by the time consumers hear about a breach, criminals may already have a head start,” Trapp says.

“After a data breach, the goal isn’t to do everything,” Glading adds. “It’s to do the right things quickly.” Here’s what to do:

1. Find out exactly what information was stolen

Why it matters

Different types of data create different risks. A leaked email address may lead to phishing attacks, while a stolen Social Security number could enable criminals to open credit accounts in your name.

How to do it

• Carefully read the breach notice.
• Look for the section that lists “information involved.”
• Contact the company if the notice is unclear.
• Use breach-check tools to see whether your email appears in leaks. The National Cybersecurity Center offers one, and Have I Been Pwned is another safe, free, reliable service to check your email.

2. Freeze your credit

Why it matters

A credit freeze prevents lenders from accessing your credit report, which makes it much harder for identity thieves to open new credit cards or loans in your name.

How to do it

Contact each of the three credit bureaus:

• Experian
• Equifax
• TransUnion

Freezing and unfreezing your credit is free and can be done online in minutes.

3. Place a fraud alert on your credit report

Why it matters

A fraud alert tells lenders to take extra steps to verify your identity before issuing credit.

How to do it

• Contact one of the three credit bureaus, and add a fraud alert to your credit file; that bureau will notify the others. You can do this on the web, by phone or via regular mail.

Alerts typically last one year, but extended alerts can last seven years for confirmed identity-theft victims.

4. Monitor your bank and credit card accounts

Why it matters

Fraudulent transactions often appear within weeks of a breach, but they could also show up after a longer period of time.

How to do it

• Review statements weekly for several months.
• Enable transaction alerts in your bank account settings to alert you when something is purchased.
• Report suspicious charges immediately.

Most banks offer zero-liability protection, but you must report fraud promptly.

5. Change compromised passwords immediately

Why it matters

Glading says that stolen passwords are often reused to break into other accounts, so start with email, banking and shopping accounts. Use strong, unique passwords for each one to limit the damage from a single breach.

How to do it

• Change the password for the breached account.
• Update any other accounts using the same password.
• Create long, unique passwords for each site.

6. Enable two-factor authentication

Why it matters

Two-factor authentication (2FA) adds a second security layer to your password by requiring a code from a separate authenticator app. These codes are time-based, one-time login credentials generated right on your phone that are less vulnerable than other methods of validation (like text messages).

It may feel cumbersome and annoying at first to have an extra step, but it’s much better than trying to fix the financial damage of getting caught up in a scam.

How to do it

• Turn on 2FA in each of your accounts’ security settings.
• Download and use an authenticator app, like Google Authenticator or Authenticator by Microsoft, when possible, instead of relying on SMS (text) codes.

7. Consider placing a freeze on your Social Security number

Why it matters

If your SSN was exposed, criminals may try to use it for employment fraud, tax fraud or benefit theft.

How to do it

• Create a “My Social Security” account with the Social Security Administration.
• Monitor earnings records.
• Report suspicious activity immediately.

8. If your identity was stolen, report it

Why it matters

Filing an official report helps law enforcement investigate and allows you to dispute fraudulent accounts.

How to do it

• File a report at IdentityTheft.gov.
• Contact affected banks or creditors.
• Keep documentation of fraudulent activity.

What else can you do to protect your sensitive information?

After a data breach, you should put systems in place to protect you in the future. You can:

• Use a password manager. Password managers generate and store complex passwords so you don’t have to remember them.
• Turn on passkeys where available. Passkeys use biometrics or device authentication instead of traditional passwords, making them harder to steal.
• Sign up for identity-protection services. These services monitor credit reports, dark web marketplaces and personal-data leaks, and alert you to suspicious activity.
• Recognize phishing attempts. After a breach, scammers often send fake emails pretending to be banks, retailers or government agencies. Never click unexpected links or download attachments from unknown senders.

One last tip: Oslan also told us about the National Cybersecurity Center’s Personal Cyber Advisor tool that is free to the public. “You will get tailored answers that are relevant to your specific situation,” Oslan says. “It provides alerts letting you know when your online life is at risk and an interactive session that will walk you through how to minimize the risk with a step-by-step, no-technical-jargon interaction.”

RELATED:

• Scammers Are Trying to Get Their Hands on Your New Phone—Here’s How to Stop Them
• Before You File Your Taxes, Make Sure You’re Not Falling for One of These Sneaky Tax Scams
• There’s a New Danger When Connecting to Public Wi-Fi—Here’s What You Need to Know

Why trust us

Reader’s Digest has published hundreds of articles on personal technology, arming readers with the knowledge to protect themselves against cybersecurity threats and internet scams as well as revealing the best tips, tricks and shortcuts for computers, cellphones, apps, texting, social media and more. For this piece, Jaime Stathis tapped her experience as a tech journalist to ensure that all information is accurate and offers the best possible advice to readers. We rely on credentialed experts with personal experience and know-how as well as primary sources including tech companies, professional organizations and academic institutions. We verify all facts and data and revisit them over time to ensure they remain accurate and up to date. Read more about our team, our contributors and our editorial policies.

Sources:

• Sandra Glading, online safety expert at McAfee; email interview, April 2026
• Greg Oslan, chairman and CEO of the National Cyber Security Center; email interview, April 2026
• David Trapp, CEO at ArmorPoint; email interview, April 2026
• HIPPA Journal: “Navia Benefit Solutions Discloses Data Breach Affecting 2.7 Million Individuals”
• Identity Theft Research Center: “Identity Theft Resource Center 2025 Annual Data Breach Report”
• National Conference of State Legislators: “Security Breach Notification Laws”
• National Cybersecurity Center: “You’ve Probably Been Hacked and Don’t Know It”

These Apps May Be Spying on You

Has Your Computer Been Hacked?

Make Your Phone Impossible to Track