Data Breach: What to Do If You're Affected

A data breach can expose your Social Security number, passwords, financial accounts, and medical records. If a company failed to protect your personal data, you may have legal rights — and you may be owed money. Here is exactly what to do.

What Is a Data Breach?

A data breach happens when unauthorized parties gain access to personal information stored by a company or organization. Hackers, insider theft, and misconfigured databases all cause breaches. The exposed data can include names, Social Security numbers, email addresses, passwords, credit card numbers, and medical records.

The scale of data breaches has grown dramatically. The Identity Theft Resource Center reported 3,205 data compromises in the United States in 2023, affecting more than 353 million individuals. That number set a new record, up 72 percent from the previous record set in 2021.

Not every breach is a hack. Many occur because companies store data insecurely, fail to patch known vulnerabilities, or share data with third-party vendors who later suffer their own breach.

How to Find Out If Your Data Was Exposed

Companies that suffer data breaches are legally required to notify affected consumers in most states, but notification can take weeks or months. Do not wait for a letter to take action.

Use these free tools to check your exposure:

• HaveIBeenPwned.com — enter your email address to see if it appeared in known breach databases.
• Annual Credit Report — review your credit report at AnnualCreditReport.com, the only federally authorized free credit report site.
• Dark web monitoring — many banks and credit card companies now offer this as a free feature.
• Breach notification letters — companies are required under state breach notification laws to tell you what data was exposed.

If you received a breach notification letter, read it carefully. It should identify what type of data was exposed and what the company is offering, such as free credit monitoring.

Immediate Steps to Take After a Data Breach

The first 72 hours after learning about a data breach are the most critical for limiting your exposure. Move quickly on these five actions before attackers have time to exploit your data.

1. Change Your Passwords Immediately

Start with the account tied to the breach. Then change any account that uses the same password. Use a password manager to create unique passwords for each account going forward.

2. Enable Two-Factor Authentication

Turn on two-factor authentication (2FA) for every important account — email, banking, and social media. This single step blocks the vast majority of credential-stuffing attacks that follow large breaches.

3. Monitor Your Financial Accounts

Log into your bank and credit card accounts now and set up transaction alerts. Review every charge from the past 30 days. Report any unfamiliar transactions directly to your financial institution.

4. Watch for Phishing Attempts

Criminals use stolen data to craft targeted phishing emails that look legitimate. Be suspicious of any email asking you to click a link or confirm account details — even if it looks like it comes from a company you trust.

5. Save the Breach Notification Letter

Keep every document related to the breach. These records matter if you later file a settlement claim or need to prove harm. Make both a digital and physical copy.

Freeze Your Credit Right Away

A credit freeze is the single most effective tool available to prevent new fraudulent accounts from being opened in your name. It is free at all three major credit bureaus and does not affect your credit score.

Contact each bureau separately to place a freeze:

• Equifax: equifax.com/personal/credit-report-services/credit-freeze
• Experian: experian.com/freeze/center.html
• TransUnion: transunion.com/credit-freeze

A lesser-known step: also place a freeze with Chex Systems (used by banks) and the National Consumer Telecom and Utilities Exchange (NCTUE). These specialty bureaus are often overlooked but are regularly checked when someone tries to open a new bank account or utility service in your name.

You can temporarily lift the freeze online or by phone when you need to apply for credit. The lift is usually effective within minutes to one hour.

Where and How to Report a Data Breach

Reporting a data breach creates an official record that supports any future legal claim and helps regulators identify patterns of corporate negligence.

Report to the FTC

File a report at ReportFraud.FTC.gov. The Federal Trade Commission tracks breach reports and takes enforcement action against companies that fail to protect consumer data. Your report adds to aggregate data that can trigger investigations.

Report to Your State Attorney General

Most state attorneys general accept consumer data breach complaints. Many states now require companies to report breaches directly to the AG's office as well. Filing a consumer complaint keeps your state regulator informed and may support a state-level enforcement action.

File a Police Report if Identity Theft Occurred

If someone has already misused your information, file a local police report. Many creditors require a police report number before they will remove fraudulent accounts from your record.

What to Do If Identity Theft Already Happened

Identity theft victims have a defined set of legal tools — an FTC Identity Theft Report, written creditor disputes, and a police report — that force creditors and bureaus to act within statutory deadlines.

Create an FTC Identity Theft Report

Go to IdentityTheft.gov, the FTC's official recovery site. It generates a personalized recovery plan and creates an official FTC Identity Theft Report. This report carries legal weight: creditors must investigate disputes accompanied by it within 30 days, and credit bureaus must block fraudulent information within four business days of receiving it.

Dispute Fraudulent Accounts in Writing

Send written disputes to both the creditor and the credit bureau reporting the fraudulent account. Include your FTC Identity Theft Report and any supporting documents. Send everything by certified mail with return receipt requested — keep the tracking confirmation as proof of delivery.

Place a Fraud Alert

A fraud alert requires creditors to take extra steps to verify your identity before opening new accounts. You only need to contact one bureau — it must notify the other two. An extended fraud alert lasts seven years and is available to confirmed identity theft victims.

Your Legal Rights After a Data Breach

Federal and state laws give data breach victims enforceable rights against companies that failed to protect their information. Know your legal rights and understand that these protections exist regardless of whether a class action has been filed.

Federal Protections

The Fair Credit Reporting Act (FCRA) gives you the right to dispute inaccurate information caused by identity theft. The Fair and Accurate Credit Transactions Act (FACTA) created the free fraud alert system and extended your right to free credit reports after a breach. For healthcare data, HIPAA governs breach notification requirements and patient rights.

State Data Breach Laws

All 50 states have data breach notification laws. Several states — including California (CCPA/CPRA), Illinois (BIPA), and New York (SHIELD Act) — provide additional private rights of action, meaning you can sue the company directly without relying solely on a class action. California's CCPA allows statutory damages of $100 to $750 per consumer per incident for certain breaches.

Your Right to Sue

If a company's negligence caused your data to be exposed, you may have the right to file a lawsuit individually or join a class action. Consumer rights law firms often take data breach cases on contingency, meaning you pay nothing upfront.

Data Breach Class Actions and Settlements

Data breach class actions are lawsuits filed on behalf of all consumers whose data was exposed in the same breach. They are one of the most common ways breach victims recover compensation without hiring their own attorney.

When companies settle these lawsuits, they create a settlement fund. Class members — people whose data was exposed — can file claims to receive a share of that fund. You do not need to have suffered actual identity theft to qualify. Many settlements pay compensation simply for the exposure of your data.

Browse data breach class actions to see active lawsuits. Check open data breach settlements to find cases with claims currently accepting submissions.

One important detail most competitor pages skip: if you do nothing and the court approves the settlement, you will receive whatever automatic payment the settlement provides (if any), but you permanently give up your right to sue the company individually. Opting out preserves your individual rights but means you receive nothing from the class settlement.

How to File a Data Breach Settlement Claim

Filing a data breach settlement claim is a straightforward process that most consumers can complete without an attorney in under 30 minutes.

Step 1: Verify Your Eligibility

Each settlement has a specific class definition — the group of people who qualify. Use the eligibility check tool to see if you qualify for any open settlements based on the companies and time periods you were a customer.

Step 2: Gather Your Documentation

Collect any breach notification letters, records of identity theft, bank statements showing fraudulent charges, and time logs if you spent hours dealing with the breach. Documented out-of-pocket losses and time spent are often compensated at higher rates than simple data exposure.

Step 3: Submit the Claim Form Before the Deadline

Every settlement has a claims deadline. Missing it means you receive nothing, even if you were clearly affected. Submit your claim through the official settlement website listed in the court documents or the breach notification letter.

Step 4: Track Your Claim

Save your claim confirmation number. Settlement payments can take months to years to distribute after the claims deadline. Track the case status through the settlement administrator's website.

What Compensation Can You Receive?

Data breach settlement compensation varies widely based on the size of the settlement fund, the number of valid claims filed, and the type of harm you experienced.

Common compensation categories include:

• Flat cash payments — a fixed amount paid to everyone who files a valid claim, regardless of documented harm. These often range from $25 to $100 per claimant.
• Out-of-pocket loss reimbursement — reimbursement for documented costs such as credit monitoring subscriptions, fees paid to resolve identity theft, or bank charges. Most settlements cap this at $250 to $5,000 depending on the case.
• Time compensation — payment for hours spent dealing with the breach, typically at $25 per hour, up to a set number of hours.
• Extraordinary loss payments — higher tiers for consumers who suffered significant identity theft as a direct result of the breach. The Equifax settlement, for example, offered up to $20,000 for extraordinary losses.
• Free credit monitoring — most settlements include one to three years of free credit monitoring through a third-party service.

Major Data Breaches With Open Claims

Several large data breaches from recent years still have open claim periods or pending settlements worth monitoring.

The AT&T breach disclosed in 2024 exposed the phone records of nearly all AT&T wireless customers — approximately 109 million people. This breach included call and text metadata for records from mid-2022 to early 2023, a scope far larger than initially disclosed. Litigation is active.

The National Public Data breach in 2024 exposed an estimated 2.9 billion records from a background check data broker, including Social Security numbers. This case involves individuals who never directly interacted with the company, raising novel legal questions about third-party data broker liability.

The Change Healthcare breach in 2024 exposed the health records of a substantial portion of the U.S. population after a ransomware attack on UnitedHealth Group's subsidiary. The HHS Office for Civil Rights launched an investigation under HIPAA. Check open data breach settlements for current status on these and other active cases.

Mass Tort vs. Class Action: Key Differences

Data breach cases are filed as either class actions or mass torts depending on how similar the victims' experiences are. Understanding the difference helps you know what to expect from your case.

Most data breach victims are best served by the class action route unless they suffered substantial, documented identity theft losses that exceed what a class settlement would pay. Talk to a consumer protection attorney if you are unsure which path fits your situation.

Frequently Asked Questions

What should I do first after a data breach?

Change your passwords and freeze your credit at all three bureaus immediately. These two steps stop most of the harm that follows a breach before it starts. Do both on the same day you learn about the exposure.

How do I know if my data was actually exposed?

Check HaveIBeenPwned.com with your email address and review your credit report at AnnualCreditReport.com. Also watch your mail for a formal breach notification letter, which most states legally require companies to send within 30 to 90 days of discovering a breach.

Can I get money from a data breach even if nothing bad happened to me?

Yes. Many data breach class action settlements pay compensation simply for the exposure of your personal data, even if you have not experienced identity theft. The settlement recognizes that exposure itself is a harm. Flat-rate payments in recent settlements have ranged from $25 to $125 per claimant.

How long do I have to file a data breach settlement claim?

Each settlement sets its own claims deadline, and missing it permanently bars you from that settlement fund. Deadlines typically run 60 to 180 days after the court sends class notice. Check the official settlement website or use the eligibility check tool to confirm current deadlines.

Does filing a class action claim hurt my credit score?

No. Filing a claim in a class action settlement has no effect on your credit score. The claim is a legal submission to a settlement administrator, not a credit inquiry or financial transaction of any kind.

What is an FTC data breach report and why does it matter?

An FTC data breach report is a formal complaint filed at ReportFraud.FTC.gov that documents your experience. It creates an official record the FTC uses to track breach trends and pursue enforcement. If your data was misused, the accompanying FTC Identity Theft Report from IdentityTheft.gov gives you legal tools to force creditors and credit bureaus to act within strict statutory deadlines.

What is the difference between a data breach and identity theft?

A data breach is the unauthorized access to your personal information by an outside party. Identity theft is what happens when someone uses that information to commit fraud — opening accounts, filing tax returns, or making purchases in your name. A breach can lead to identity theft, but many breach victims never experience actual misuse of their data. Both situations carry legal remedies.