The web Browser you are currently using is unsupported, and some features of this site may not work as intended. Please update to a modern browser such as Chrome, Firefox or Edge to experience all features Michigan.gov has to offer.
Data Breaches: What to do Next
The number of data breaches and identity theft reports continues to rise every year. Scammers are on a mission to steal your personal information so they can commit identity theft. On average, there is a new identity theft victim in the U.S. every two seconds.
You need to take a data breach notice seriously. That notice means your personal information was released. You are now at greater risk for identity theft. This alert explains the steps you can take to protect yourself. You’ll also learn how to protect your information after a data breach.
Data Breaches and Security Incidents
The most common thing that happens after a data breach is your information is misused. All issues must be resolved quickly to avoid identity theft.
- Best case scenario
- You act quickly to address the breach;
- You may need to change passwords;
- You may need to contact your bank or credit union; and
- The issue will probably resolve itself within a few weeks or months.
- Worst case
- You ignore the breach;
- You don’t act;
- You’re a repeat victim of identity theft; and
- It takes years to clear up your identity.
- Even worse
- Your credit is ruined; and
- You now can’t get a home, car, or credit.
Less Sensitive Data
- Your name, address, phone number, and email address;
- Someone only having this information usually doesn’t put you at much risk; and
- However, scammers use this data to try and get more sensitive information. You may start to receive spam phone calls. They may send text messages or email you.
More Sensitive Data
- Credit and debit card numbers;
- Birth dates;
- Maiden names; and
- Driver's license numbers.
Credit Cards
Fraudulent charges may appear on your statement if your credit card numbers were stolen. Federal law protects credit card owners from fraud. If the scammer uses your card at a store, you are only responsible for up to $50. If they use it online or by phone, you are not responsible for any charges.
Debit Cards
Stolen debit card numbers can result in overdrafts and bounced checks. Do not wait to contact the card issuer. Your responsibility depends on how quickly you report the theft.
- Notify the card issuer immediately. You won’t owe anything if you notify them before the card is used; and
- You will be responsible for up to $50 if you notify them within two business days. And up to $500 if you notify them after two business days, but within 60 days for unauthorized withdrawals that appear on your statement. If more than 60 days has passed, you may be responsible for everything.
Birth Date
Don’t be overly concerned if someone has just your birth date. It gets risky when they also have other pieces of your personal information. Scammers can verify an identity with multiple pieces of data. A birth date can be valuable because it never changes.
Driver’s License
In Michigan, if your driver's license is stolen, report it to local law enforcement. Then go to your local Secretary of State branch and apply for a duplicate. You must provide “proof of identity." Ask that a "driver's license alert" be put on your record.
Data
- Social security number;
- Bank and financial account numbers;
- Account logins and passwords; and
- Medical/health information.
Social Security Number (SSN)
A stolen SSN is a worst-case scenario. A valid SSN can be sold to undocumented workers. It can also be sold to people trying to hide their identities. Anyone can pose as you if they have your SSN and your name. They can take out new loans and credit accounts in your name. They can incur medical debts. They can create medical records. File fake tax returns and generate criminal records.
Report the theft of your SSN to:
- the local police;
- the Social Security Administration (SSA);
- the Internal Revenue Service (IRS);
- the Internet Crime Complaint Center (IC3), and if identity theft results; and
- the Federal Trade Commission (FTC).
Account Numbers
Immediately notify your bank or financial institution that your account numbers were stolen.
Logins and Passwords
Stolen account logins and passwords create multiple opportunities for thieves to steal from you. They can look through your email for more personal information. The damage can multiply if you use the same login and password for other accounts. It is important to change affected logins and passwords immediately. Always ensure you use two-step authentication.
Medical, Health Information
Stolen health insurance account number, medical record numbers, health care treatment and other medical information can be sold or misused.
Preventative measures should be taken promptly to avoid identity theft.
- Change the passwords on medical portals that you use.
- Check Explanation of Benefit (EOB) Statements from your insurers even more carefully than usual.
- Contact your bank and credit card issuers and ask them to put an alert on your accounts. (Even if the medical provider doesn’t believe financial information was stolen, it’s a good idea to have alerts on all your financial accounts.)
- More information can be found on the FTC’s What To Know About Medical Identity Theft page.
Steps for Consumers Who Receive a Breach or Incident Notice
- Find out what information was compromised and act accordingly;
- Pull your credit report. And check it regularly;
Consumers have the right to order a free credit report from each of the three major credit reporting companies every year. These national credit bureaus have a centralized website, toll-free telephone number, and mailing address. This makes ordering easily and all in one place.
- By Mail - complete the Annual Credit Report Request Form (PDF) and send to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.
- By Telephone - call 877-322-8228 (toll-free); or
- Online - (this is the only truly free credit report website). Beware: Misspelling this site or using another site with similar words will take you to a site that will try to sell you something. It may also collect your personal information.
The three credit reporting bureaus are Equifax, Experian, and TransUnion. Consumers can access each of their reports weekly at no cost by visiting the Annual Credit Report website.
Mark on your order that you want only the last four digits of your SSN to appear on your credit report copies.
Review the Michigan Attorney General Alert, Free Credit Reports: What Consumers Should Know, to learn more about what is in your credit report. It also shows what you should look for on your credit report. And what to do about errors.
Identity theft victims can place a fraud alert on their file. They can also receive copies of their credit report from each credit reporting company free of charge. Regardless of whether they already ordered their free annual reports.
Requesting a copy of your own credit report is known as a "soft inquiry." It will not affect your credit scores.
- Put a fraud alert on your credit file;
A fraud alert is a flag placed on your credit file. This happens when you tell a credit reporting agency that your data may have been compromised. The alert makes it more difficult for someone to open an account in your name. The Federal Trade Commission provides helpful tips on its website.
Federal law requires that agency to notify the other credit reporting agencies. They will then place alerts on your reports with them. Placing a fraud alert or credit freeze on your report also freezes online access to your social security information with the Social Security Administration (SSA). That means if you don’t already have an account with SSA, you will not be able to open one while the alert is in place. You can still go to your local social security office to create an account in person. This is the only way to create an account while the alert is in place. You will need to bring in proper identification.
There are three types of fraud alerts:
- Initial fraud alert - An initial fraud alert makes it harder for an identity thief to open accounts in your name. These alerts last for one year and can be renewed. Anyone requesting your credit file during this year-long window receives an alert that you suspect you are a victim of fraud. A creditor must go through extra steps to verify that you authorized this request. This applies to opening a credit account, increasing a credit limit, or getting a new card. The request should be denied if they are unable to verify that it was your request.
- Extended fraud alert - These alerts are for confirmed identity theft victims. The alert lasts for seven years. A police report verifying your identity theft status is required before they are placed. Federal law requires creditors to call the consumer before approving a request to open or extend a credit line. Creditors use the phone number provided in the alert.
- Active-duty military alert - This free fraud alert lasts for one year. It is available to active military members who want to protect their credit while deployed.
- Consider a security freeze on your credit file;
A security freeze or credit freeze is something you request from a credit reporting agency to restrict access to your credit report. This makes it more difficult for identity thieves to open new accounts in your name. Most creditors will demand to see your credit report before they approve new credit. Your credit should not be extended if a creditor can’t see your file.
A credit freeze does not prevent all third parties from seeing your report. Existing creditors, debt collectors acting on their behalf, and government agencies in some circumstances still have access to your report. Placing a credit freeze on your account will not affect your credit score. And it will not keep you from getting your free annual credit report or score. Credit reporting agencies may not charge a fee to place or lift a security freeze. This applies to both temporary and permanent freezes.
- Credit monitoring;
Credit monitoring is a service that tracks your credit report and alerts you when a change is made. This gives you the opportunity to confirm the change. And you will be able to contest the inaccuracy. The specifics of any service will depend on the provider. Most advertise they will notify you within 24 hours of any change to your credit report.
You can expect to receive alerts about the following:
- Hard inquiries. When a credit card or loan application is submitted in your name;
- New accounts. A note is added to your account every time a new card or loan is opened in your name;
- Changes to existing accounts; and
- Address changes.
Some companies include non-credit red flags. They may monitor sex-offender registries, bank-account activity, or payday-loan applications. Credit monitoring companies may offer "free" trial periods. This can be followed by an expensive automatic renewal. These are often difficult to cancel. Credit monitoring services are frequently offered free of charge to individuals whose information was breached. These services typically last one year.
- Take advantage of free services being offered because of a breach;
Take advantage of any unconditional and free subscription designed to protect and help you. This may be credit monitoring, fraud resolution, or other services. Before you accept a free subscription offered to you because of a security breach, carefully consider any conditions placed on your acceptance of this subscription. For example, will you be charged after a short free period? Will you only get the free subscription if you give up your right to additional legal compensation?
- Use two-factor authentication; and
Two-factor authentication requires your password and an additional piece of information to log in to your account. The second piece could be a code sent to your phone. The app may also generate a random number. Tokens are also used. A token is a physical object in the user’s possession. Two-factor authentication protects your account even if your password is compromised. Choosing more than one type of second authentication is wise in case your primary method is unavailable.
- Ways to minimize identity theft risk.
Filing your taxes early can help prevent tax-related identity theft. That way the IRS gets your true return and would deny a fake copy. Learn more by reading the Attorney General’s alert, Tax-Related ID Theft.
Learn more about the different types of identity theft. These types can include financial, governmental, criminal, medical, and child identity theft.
Identity Theft Prevention and Resolution Resources
- Learn how to place credit freezes and fraud alerts on your credit reports, please see the Credit Freeze; Fraud Alert; & Credit Monitoring;
- Information on identity theft prevention and resolution for Michigan consumers is available on the Attorney General’s Michigan Identity Theft Support (MITS) page; and
- Visit the Federal Trade Commission's website devoted to identity theft. You can also call the Federal Trade Commission's ID Theft Hotline at 877-ID-THEFT (877-438-4338).
Report Fraud
You can file a consumer complaint here. More information about the complaint process is available on our website.
P.O. Box 30213
Lansing, MI 48909
517-335-7599
Fax: 517-241-3771
Toll-free: 877-765-8388
Online complaint form