By Martin Edwards
Imagine you have an account with an online bookshop. You use a hard-to-guess
password and do a great job of keeping it a secret.
Then one day someone hacks into the bookshop’s server and takes a copy of a million customers’
accounts, including yours. This is a data breach. They happen often,
in varying scale and severity.
It is in the interest of businesses and other organisations to protect your data, and they may
be fined for not taking adequate measures to do so, but achieving total security is
The upshot is that much of what we consider private information may not remain private forever.
The consequences of a data breach depend on the importance of the service and the kind of
Your account with the bookshop probably has your home address and phone number. If these are
made public, fraudsters might include them when sending you
scam emails to make them sound more convincing, or make bogus
phone calls that seem more believable because they already know your name.
If passwords are breached, a third party might even be able to log into your account and order
books. They’ll also try the password on other popular websites, because people often use the
same password for several accounts.
Finally, information like your bank details or date of birth might assist criminals in identity
While caches of stolen data may be traded ‘underground’ for money, they can also end up on the
Internet. The silver lining is that you can use tools like
Have I Been Pwned to check whether your data appears
in a public breach. And if you let Chrome, Edge, Firefox or Safari remember your passwords, you
benefit from the fact that these browsers regularly check those passwords against a database of
known breaches, and alert you if they’ve been compromised.
What to do
If you discover you’ve been affected by a data breach, don’t panic, and don’t blame yourself.
You didn’t do anything careless, and it doesn’t mean there’s something wrong with your
Try to find out which kinds of information were breached, such as phone numbers, credit card
numbers, or passwords. A responsible company should release a statement detailing this, it may
be reported in the news, or you can check
Have I Been Pwned.
If the breached information poses a risk and is feasible to change, change it. For example,
report a credit card as compromised so you get sent a new one. If your password was breached,
change it, including on any other websites where you used the same password — and take this
opportunity to make them all different.
Be realistic about what you can’t easily change. It’s unlikely any harm will come of your email
and phone number being leaked, for example, and you’re not going to move house because a
fraudster knows your address! Just keep in mind the possibility that this information may be
used in efforts to trick or scam you, especially in the immediate aftermath of the breach.