Legal, Regulatory, and Privacy Issues

9 steps to take if your credit card data is hacked


When it comes to protecting customers, all banks are not alike — but what can you do if your bank’s database gets hacked?

The content on this page is accurate as of the posting date; however, some of our partner offers may have expired. Please review our list of best credit cards, or use our CardMatch™ tool to find cards matched to your needs. Terms apply to the offers listed on this page.

What can you do if your credit card information is stolen because some third-party company got hacked?

It’s an important question to ask, especially given how frequently credit card data breaches make headlines. The latest: In August, Citi and Bank of America reportedly closed some customers’ credit and debit card accounts, respectively, because of data security failures involving retailers. This was just a few months after Citi announced that its database had been hacked, giving thieves access to thousands of Citi cardholder’s records and leading to nearly $3 million in losses.

A June report issued by Javelin Strategy & Research scored 23 credit card issuers on their ability to protect customers from identity theft. The top five: Bank of America, Discover, U.S. Bank, USAA and Capital One. The three lowest scores belonged to: State Farm Bank, which had the lowest score of the group; Associated Bank and SunTrust.

The report notes that in 2010, identity theft losses totaled $37 billion. That number will keep growing. “Card-not-present fraud is now higher than card-present fraud,” says Philip Blank, managing director, security, risk and fraud for Pleasanton, Calif.-based Javelin.

Credit card holders shouldn’t feel powerless if their information gets hacked. “Consumers have shown they want to play an active role in their own protection,” Blank says. Indeed, experts outline nine steps consumers can, and should, take to protect themselves now and in the event of a future breach.

1. Make sure there’s really been a breach.

“When you get the scary communication, make sure it’s legitimate,” says Steven Weisman, a Boston-based attorney and author of “The Truth About Avoiding Scams.” “People get phony security notifications and that can turn into identity theft,” he says. His advice: Don’t trust email, the U.S. mail or even a phone call. Call your bank yourself to confirm a breach.

2. Find out exactly what information was stolen.

“There’s a big difference between a credit card and checking account,” says Jeremy Miller, director of operations for Kroll’s Fraud Solutions, a division of Kroll Inc., a New York-based risk consulting firm. With a credit card account, consumers are responsible (in most states) for only $50 of unauthorized charges. However, most banks will forgive that, particularly if the breach is their fault. “But a checking account is different — you might get your account cleaned out,” Miller says.

3. Find out what your bank will do.

In late June, thieves breached CitiGroup’s database, accessing 360,000 records and stealing a total of $2.7 million from 3,600 credit card holders. The bank agreed to compensate the cardholders. Other banks may offer a free credit monitoring service that alerts customers about activity over a certain dollar amount. Use them, advises Ed Bellis, CEO of HoneyApps, a Chicago-based data security firm. “The best thing consumers can do is have alerts and triggers on their credit card and bank statements,” he says. Such alerts will tip you off to fraudulent activity before it spins into major trouble. Keep in mind that the free alert offer will expire; find out when so you don’t end up paying an automatic monthly fee.

4. Cancel your cards.

If the bank didn’t do so automatically after the breach, do it yourself. Cancel your credit cards and debit cards that were issued by the institution that suffered the breach. Be sure to notify companies that have your card on file for automatic monthly fees, say for website hosting or a newspaper subscription, that your card was canceled.

5. Reset your passwords, and make them challenging.

Weisman says that “123456” and “password” are the most common passwords: Easy for good guys to remember, easy for bad guys to steal with. Avoid choosing easily findable information, such as your birthday or street address. Choose something more obscure, and make the password a mix of letters and numbers. For extra security, create a different password for each account. Just make sure to write them down and store them in a safe place, such as a home lockbox.

6. Monitor credit card statements closely.

Bellis says thieves love to test the viability of accounts with a small purchase, say a 99-cent iTunes download. Review every statement — each purchase, each charge — to make sure you or a household member with access to your card made that purchase. If you see an unauthorized charge, report it to the card issuer immediately.

7. Pull your credit reports.

Federal law requires the three main credit bureaus — TransUnion, Equifax and Experian — to give you a free credit report if your account information has been stolen. Review each report carefully for errors or fraudulent activity; if you find any, go to the reporting institution and fix them. If there’s a chance your Social Security number has been stolen, put a security freeze on your files. At minimum, issue a fraud alert, suggests Sheila Adkins, spokeswoman for the Council of Better Business Bureaus, Arlington, Va.

8. Beware of email asking for personal, financial or account information.

“Legitimate companies you rely on for your online shopping, financial needs and college tests will not request this information — they already have it,” Adkins says. If you want to communicate with an online company, find its website and use that website’s contact information.

9. Tighten up your own security.

This won’t keep your data safe if someone hacks into some other company’s database, but it’s a smart move anyway. Update your home computer’s security. Don’t click on links sent by strangers; such links can contain invisible malware that will monitor your computers’ keystrokes and thus steal passwords. If you bank online, dedicate a browser to online banking, and use it for nothing else. “You have to have data and information discipline,” says Daniel Mohan, president and chief operating officer of ID Watchdog, a Denver-based data monitoring, detection and resolution firm.

“Information sits out there in those databases,” Mohan warns. “Hackers know it and keep digging for gold.”

See related: When you should, shouldn’t give out your Social Security number, Tips on how to remember your passwords, The pros and cons of credit monitoring services

Editorial Disclaimer

The editorial content on this page is based solely on the objective assessment of our writers and is not driven by advertising dollars. It has not been provided or commissioned by the credit card issuers. However, we may receive compensation when you click on links to products from our partners.

What’s up next?

In Legal, Regulatory, and Privacy Issues

Banks add new $3 fee for accessing your own money with debit card

Wells Fargo has sent notices to customers that starting Oct. 14, it will cost them $3 a month to use a debit card. The activity fees are a way for banks to recoup lost revenue from new caps on ‘swipe fees’

See more stories
Credit Card Rate Report
Cash Back

Questions or comments?

Contact us

Editorial corrections policies

Learn more