What Is a Data Breach and What to Do If You're In One
A data breach is what happens when private information held by an organization gets accessed, taken, or exposed by someone who wasn't supposed to have it. The "private information" can be anything: passwords, credit card numbers, medical records, email addresses, government identifiers, internal company documents. The "organization" can be anyone: banks, retailers, hospitals, government agencies, your employer, the small business that processes your insurance claim.
Breaches happen constantly. Most of them you never hear about. The ones that make the news are the largest or the most embarrassing. The cumulative effect is that almost every adult in any developed country has had personal data exposed in at least one breach, usually many.
That's the short version. The longer version requires understanding how breaches actually happen, what data tends to leak, what attackers do with it, and what you can practically do to limit the damage. I've spent two decades watching companies treat breach disclosure as a PR exercise and treat the people whose data was exposed as an afterthought.
How data breaches actually happen
Breaches happen in a few common patterns. The patterns repeat across industries.
The most common is credential compromise. An attacker gets hold of a username and password, usually through phishing or by buying credentials from a previous breach. They use those credentials to log into the company's systems and access whatever the user had access to. If the compromised account was a low level employee, the attacker gets limited data. If the compromised account was an administrator, the attacker gets a lot.
The second most common is software vulnerabilities. The company's website, email server, file storage, or internal application has a flaw that lets attackers extract data without authenticating. Sometimes the flaw is in custom code. More often it's in a third party component that didn't get patched. The 2017 Equifax breach exposed records for 147 million people because an unpatched Apache Struts vulnerability sat exposed for months.
The third is misconfiguration. Cloud storage buckets left publicly accessible. Database servers exposed to the internet without passwords. Backup files dumped to a shared drive that's then indexed by Google. These aren't sophisticated attacks. They're embarrassing accidents that anyone with a search tool can find.
The fourth is insider threats. A current or former employee takes data they shouldn't have, either to sell, to start a competing company, or as revenge.
The fifth is third party compromise. The company itself wasn't breached, but a vendor, contractor, or service provider was, and that vendor had access to the company's data. The Target breach in 2013 happened because attackers compromised an HVAC contractor with network access to Target's systems.
The sixth is ransomware with data exfiltration. Modern ransomware groups don't just encrypt files for ransom. They steal a copy first, then threaten to publish it if the ransom isn't paid. A successful ransomware attack is automatically a data breach.
What kinds of data leak
Authentication data. Usernames, email addresses, passwords. Sometimes the passwords are hashed (converted to a one way mathematical scrambled version), sometimes encrypted (reversible with a key), sometimes plaintext. Hashed passwords with strong algorithms are slow to crack. Plaintext passwords are immediately usable.
Personally identifiable information. Names, addresses, phone numbers, dates of birth, Social Security numbers, driver's license numbers. This data is durable. Your name and SSN don't expire when the breach is announced. The data remains useful to attackers for years.
Financial data. Credit card numbers, bank account numbers, transaction histories. Card numbers can be reissued, but the metadata can't be undone.
Medical data. Treatment records, diagnoses, prescription histories, insurance information. Particularly sensitive because it's both private and durable. Medical breaches don't get fixed by changing a password.
Biometric data. Fingerprints, face data, voice prints. The most durable category. You can't change your fingerprint after it leaks.
The mix of data in any specific breach affects what you can do about it. Email and password leaks are usually mitigatable through password changes and 2FA. SSN leaks aren't.
How long breaches stay secret
The gap between when a breach happens and when it's disclosed is usually months. Sometimes years.
The Verizon Data Breach Investigations Report tracks median time to detection across thousands of incidents. The median is in the range of months. Some breaches go undetected for years.
Companies don't disclose breaches as soon as they discover them. They investigate first, which can take weeks or months. They consult lawyers about disclosure obligations. They prepare PR. They negotiate with regulators. By the time the public hears about a breach, it usually happened a long time ago.
Notification laws have improved this somewhat. The EU's GDPR requires breach disclosure within 72 hours of detection. US state laws vary. The federal SEC now requires public companies to disclose material cybersecurity incidents within four business days of determining materiality.
But "detection" and "happened" aren't the same. The 72 hour clock starts at detection, which can be months after the actual breach. The data has been in the attacker's hands for a long time before you find out.
What attackers do with breached data
Credentials get fed into credential stuffing campaigns. Attackers take leaked username and password pairs and try them on hundreds or thousands of other sites. The hit rate is typically a few percent, but the volume makes it profitable.
Personal data gets used for identity theft. The attacker opens new credit accounts, files fraudulent tax returns, applies for loans, takes out medical care under your name.
Financial data gets used for fraudulent transactions. Card numbers are tested with small purchases and then used for larger ones. Banks usually catch this and reverse the charges, but the process is slow and disruptive.
Medical data gets used for medical identity theft (filing fraudulent insurance claims using your information) and for sale to other criminals.
The breach is the supply side. The attackers running breaches and the attackers using breached data are often different people. There's a thriving market in stolen data that connects them.
Notification: what it means and what to do
You'll usually find out about a breach in one of three ways: a notification email from the company that was breached, a news report, or a check on a service like Have I Been Pwned.
When you get a breach notification, the questions to ask:
What data was exposed? Email address only is the lowest tier. Email plus password is significant. Email plus password plus SSN or financial data is severe.
When did the breach happen? If it was years ago, attackers have had time to use the data.
Is the password stored hashed or plaintext? Hashed passwords with modern algorithms (bcrypt, Argon2, scrypt) are reasonably safe even after a breach, especially if the password was strong. The notification should specify; if it doesn't, assume the worst.
The standard response checklist:
Change your password for that service immediately. Use your password manager to generate a unique strong password.
Change your password on any other service where you used the same or similar password.
Enable 2FA on the breached account if available, with an authenticator app rather than SMS.
Check for unauthorized activity on the account. Review login history if available.
If financial data was exposed, contact your bank to discuss flagging or reissuing cards.
If SSN or government ID was exposed, place a credit freeze with the three major credit bureaus. This prevents new credit accounts from being opened in your name. The freeze is free under federal law.
If medical data was exposed, watch for unfamiliar bills, denied insurance claims, or notices about treatments you didn't receive.
Credit freezes and fraud alerts
A credit freeze locks your credit report. New creditors can't access it, which means new accounts can't be opened in your name. You unfreeze temporarily when you're applying for new credit.
You have to freeze with each of the three major credit bureaus separately:
The process takes a few minutes per bureau and can be done online. Save your PINs.
A fraud alert is a flag on your credit report telling creditors to verify your identity before opening new accounts. It's less restrictive than a freeze. You can place a fraud alert with one bureau and they'll notify the others. Initial fraud alerts last one year.
For most people, freezes are the right answer because new credit applications are rare.
Both are tools to use proactively, not just reactively.
What you can do before a breach
Use unique passwords for every account, generated and stored in a password manager. Credential stuffing only works against reused passwords. With unique passwords, a leak from one site doesn't compromise your other accounts.
Enable 2FA on every account that supports it. Hardware keys for high value accounts. Authenticator apps for the rest. SMS as a last resort.
Use email aliases for accounts you don't trust. Services like SimpleLogin, AnonAddy, or Apple's "Hide My Email" let you generate unique email addresses for each service. If a service gets breached, the leaked email is unique to that service.
Monitor for breaches. Have I Been Pwned lets you sign up for notifications when your email appears in new breaches.
Place credit freezes proactively.
Check your credit reports regularly. AnnualCreditReport.com is the official site for free annual reports from each bureau.
What you can do after a breach
For email and password exposure: change the password on the breached service and any other service using the same password. Enable 2FA. Move on.
For SSN and identity exposure: place credit freezes immediately. Monitor your credit reports. Consider an Identity Protection PIN with the IRS to prevent fraudulent tax returns.
For financial data: contact your bank to reissue cards. Monitor statements. Dispute any unauthorized charges within the legal protection windows.
For medical data: notify your insurance provider. Watch for unfamiliar claims or denials.
For severe cases: file an identity theft report with the FTC at IdentityTheft.gov. File a police report if there's evidence of crime against you specifically. Contact the FBI Internet Crime Complaint Center for additional reporting.
A quick analogy
Data breaches are like rain. They happen continuously. Some are light drizzles that affect a small group of people for a short time. Some are floods that affect millions and cause damage for years.
You can't stop the rain. You can stop yourself from getting soaked.
The roof is unique passwords plus password manager. The umbrella is 2FA. The raincoat is credit freezes and email aliases. The towels for when you get wet anyway are credit monitoring, breach notification services, and the FTC reporting infrastructure.
None of these stops the weather. Together they keep you dry through the storms that will keep coming.
The mistake people make is treating breaches as exceptional events that justify a one time response. They aren't exceptional. They're the climate. The defensive posture has to be ongoing because the threat is ongoing.
Frequently asked questions
Should I sign up for a paid identity protection service?
The free credit monitoring offered after breaches covers most of what paid services do. For most people, the free options plus a credit freeze plus careful monitoring of accounts is sufficient. Paid services are reasonable if you want the convenience or you have specific concerns that justify the cost.
What's the difference between a breach and a leak?
The terms are used loosely. Technically, a breach is unauthorized access, while a leak is unintentional exposure. The damage to affected users is similar.
Can I sue companies that get breached?
Sometimes. Class action lawsuits follow large breaches. Settlements are typically small per individual but can be meaningful if you actually file a claim.
How do I know if my passwords have been exposed?
Have I Been Pwned lets you check whether your email appears in known breach databases. Most password managers have built in breach monitoring.
How often should I check my credit reports?
You're entitled to one free credit report from each of the three bureaus per year through AnnualCreditReport.com. Spreading them through the year gives you ongoing visibility.
Are some industries more breach prone than others?
Healthcare, finance, retail, and technology see the most breaches in absolute terms because they hold the most data. Any organization holding valuable data is a target.
What to do next
If you don't have a password manager and unique passwords across accounts, fix that first.
If you don't have 2FA on important accounts, enable it.
If you haven't placed credit freezes with the three bureaus, do it this week.
If you've received breach notifications recently and put them aside, go back to them. Each notification deserves the response checklist outlined above.
If you suspect you're already a victim of identity theft, file a report at IdentityTheft.gov and follow the recovery plan it generates.
The breaches will keep happening. The data already exposed isn't coming back. The work is to limit ongoing damage and be ready when the next one hits.