Research and Statistics

Data breach protection: 10 tips


When your card data may have been stolen by hackers in a data breach, it’s no time to panic, but do be vigilant and ready to take action if unauthorized charges show up

The content on this page is accurate as of the posting date; however, some of our partner offers may have expired. Please review our list of best credit cards, or use our CardMatch™ tool to find cards matched to your needs.

If you’re one of the millions of Americans who has used a credit, debit or ATM card at a retailer whose data has been hacked, your account information may have been stolen.

Now what?

Once past the shock, employ some common sense and a bit of vigilance. In most cases, you, your credit history and credit score should be fine.


No federal law requires you to be personally notified of a data-related security breach. Forty seven states do require notification (Alabama, New Mexico and South Dakota are the exceptions), but if there’s been a breach reporter, there’s no need to wait. Here’s are the 10 steps that federal fraud specialists, consumer advocates and other experts say you should do:

  1. Look at your receipts or scan your memory and figure out what card or cards you used a the breached store when it was hacked.
  2. Reset the password attached to the online version of that account. This won’t protect you against unauthorized use of the card at brick-and-mortar shops, but it might help defend against a deeper magnitude of security breach if the data thief decides to poke around in cyberspace.
  3. If you used a debit or ATM card, keep a close eye on the bank account attached to that card. Go online regularly for the next few weeks — or until authorities or your bank issues an all clear — and look for any unauthorized transactions.
  4. If you find one or more unauthorized transactions, immediately notify the bank. You must contact the card issuer within 60 days of the day the questionable statement was mailed to you. Upon learning of the problem, the issuer almost certainly will tell you to cut up the card in question and it will expeditiously send you a replacement. “They just want your credit card number,” Tom Shaw, vice president of financial crimes management at USAA, the financial services company that mostly serves military families, told in 2013 during a flurry of data breaches. “They are agnostic as to whose name is embedded in the magnetic stripe.”
  5. Know your legal liability and move quickly. Generally speaking, your liability is limited to $50 for unauthorized purchases made with your debit or ATM card. But time is of the essence: Under federal law, if you don’t report illicit transactions within 60 days, you may be held responsible for the entire amount. In any case, when you report an unauthorized transaction, the bank in all likelihood immediately will deactivate your debit or ATM card and arrange for you to receive a new one.
  6. If you used a card during the period when hackers were active, go online and monitor the transactions associated with that account. Check that account frequently until authorities issue an all clear.
  7. If you see anything suspicious, immediately call the credit card issuer and report the problem. In the case of credit cards, federal law also limits your liability to $50 for any fraudulent transactions.
  8. If you see unauthorized transactions on either a debit card or a credit card, also contact one of the three major credit reporting bureaus and ask it to attach a “fraud alert” to your account. This service is free, and the company must share the alert with the other two companies. The initial alert stays on your accounts for at least 90 days and will make it more difficult for a thief to open more accounts in your name.
  9. As a precaution, go ahead right now and order a free copy of your credit report. It will serve as a pre-fraud starting point in case things go south on you in coming weeks or months as a result of the breach at Target or any other potential financial fraud. Federal law requires each of the three major credit reporting services to provide one free copy of your credit report every 12 months. When the report arrives, check it carefully for errors or suspicious activity.
  10. In the unlikely event that you’re individually targeted for a full-blown case of identity theft, the damage could spread to your other accounts. In that case, you can ask each of the three credit reporting companies to put a freeze on your credit file. This makes it less likely that thieves can open new accounts in your name, but it also means that potential creditors cannot obtain your credit report. Think of it as the nuclear option and one to be used only under grave circumstances.

Bottom line: If you apply modest vigilance, employ some common sense and respond quickly to any suspicious activity regarding your accounts, you should be fine.

See related: Beware: Data breach dangers rise when you travel

Editorial Disclaimer

The editorial content on this page is based solely on the objective assessment of our writers and is not driven by advertising dollars. It has not been provided or commissioned by the credit card issuers. However, we may receive compensation when you click on links to products from our partners.

What’s up next?

In Research and Statistics

CareCredit ordered to refund $34 million to cardholders

GE Capital and its CareCredit unit agreed to refund $34.1 million to medical patients who got faulty information when they signed up for deferred interest cards

See more stories
Credit Card Rate Report
Cash Back

Questions or comments?

Contact us

Editorial corrections policies

Learn more