Research and Statistics

Data breach protection: 10 tips


When your card data may have been stolen by hackers in a data breach, it’s no time to panic, but do be vigilant and ready to take action if unauthorized charges show up

The content on this page is accurate as of the posting date; however, some of our partner offers may have expired. Please review our list of best credit cards, or use our CardMatch™ tool to find cards matched to your needs.

If you’re one of the millions of Americans who has used a credit, debit or ATM card at a retailer whose data has been hacked, your account information may have been stolen.

Now what?

Once past the shock, employ some common sense and a bit of vigilance. In most cases, you, your credit history and credit score should be fine.


No federal law requires you to be personally notified of a data-related security breach. Forty seven states do require notification (Alabama, New Mexico and South Dakota are the exceptions), but if there’s been a breach reporter, there’s no need to wait. Here’s are the 10 steps that federal fraud specialists, consumer advocates and other experts say you should do:

  1. Look at your receipts or scan your memory and figure out what card or cards you used a the breached store when it was hacked.
  2. Reset the password attached to the online version of that account. This won’t protect you against unauthorized use of the card at brick-and-mortar shops, but it might help defend against a deeper magnitude of security breach if the data thief decides to poke around in cyberspace.
  3. If you used a debit or ATM card, keep a close eye on the bank account attached to that card. Go online regularly for the next few weeks — or until authorities or your bank issues an all clear — and look for any unauthorized transactions.
  4. If you find one or more unauthorized transactions, immediately notify the bank. You must contact the card issuer within 60 days of the day the questionable statement was mailed to you. Upon learning of the problem, the issuer almost certainly will tell you to cut up the card in question and it will expeditiously send you a replacement. “They just want your credit card number,” Tom Shaw, vice president of financial crimes management at USAA, the financial services company that mostly serves military families, told in 2013 during a flurry of data breaches. “They are agnostic as to whose name is embedded in the magnetic stripe.”
  5. Know your legal liability and move quickly. Generally speaking, your liability is limited to $50 for unauthorized purchases made with your debit or ATM card. But time is of the essence: Under federal law, if you don’t report illicit transactions within 60 days, you may be held responsible for the entire amount. In any case, when you report an unauthorized transaction, the bank in all likelihood immediately will deactivate your debit or ATM card and arrange for you to receive a new one.
  6. If you used a card during the period when hackers were active, go online and monitor the transactions associated with that account. Check that account frequently until authorities issue an all clear.
  7. If you see anything suspicious, immediately call the credit card issuer and report the problem. In the case of credit cards, federal law also limits your liability to $50 for any fraudulent transactions.
  8. If you see unauthorized transactions on either a debit card or a credit card, also contact one of the three major credit reporting bureaus and ask it to attach a “fraud alert” to your account. This service is free, and the company must share the alert with the other two companies. The initial alert stays on your accounts for at least 90 days and will make it more difficult for a thief to open more accounts in your name.
  9. As a precaution, go ahead right now and order a free copy of your credit report. It will serve as a pre-fraud starting point in case things go south on you in coming weeks or months as a result of the breach at Target or any other potential financial fraud. Federal law requires each of the three major credit reporting services to provide one free copy of your credit report every 12 months. When the report arrives, check it carefully for errors or suspicious activity.
  10. In the unlikely event that you’re individually targeted for a full-blown case of identity theft, the damage could spread to your other accounts. In that case, you can ask each of the three credit reporting companies to put a freeze on your credit file. This makes it less likely that thieves can open new accounts in your name, but it also means that potential creditors cannot obtain your credit report. Think of it as the nuclear option and one to be used only under grave circumstances.

Bottom line: If you apply modest vigilance, employ some common sense and respond quickly to any suspicious activity regarding your accounts, you should be fine.

See related:Beware: Data breach dangers rise when you travel

Editorial Disclaimer

The editorial content on this page is based solely on the objective assessment of our writers and is not driven by advertising dollars. It has not been provided or commissioned by the credit card issuers. However, we may receive compensation when you click on links to products from our partners.

What’s up next?

In Research and Statistics

Fed payments study: Signature cards more prone to fraud

Credit cards and signature debit cards are the payment methods most susceptible to fraud, with online transactions at highest risk, the Federal Reserve said

See more stories
Credit Card Rate Report Updated: August 5th, 2020
Cash Back

Questions or comments?

Contact us

Editorial corrections policies

Learn more

Join the Discussion

We encourage an active and insightful conversation among our users. Please help us keep our community civil and respectful. For your safety, do not disclose confidential or personal information such as bank account numbers or social security numbers. Anything you post may be disclosed, published, transmitted or reused.

The editorial content on is not sponsored by any bank or credit card issuer. The journalists in the editorial department are separate from the company’s business operations. The comments posted below are not provided, reviewed or approved by any company mentioned in our editorial content. Additionally, any companies mentioned in the content do not assume responsibility to ensure that all posts and/or questions are answered.