In the latest round of confirmed data breaches, banking giant JPMorgan Chase—arguably the largest US bank—has announced that hackers may have accessed the secure information of approximately 83 million of its accounts, comprised of 76 million individual consumer accounts as well as around 7 million small business accounts.

In a filing made with the Securities and Exchange Commission yesterday, the company confirmed a breach that seems to have given criminals access to personal contact info on its account holders. This information is believed to be limited to basic data, such as individuals’ names, addresses, emails, and phone numbers, but has so far is not thought to include any account numbers, passwords, Social Security numbers, or more valuable personally identifiable information. As the consumers’ financial information seems not to have been stolen, the bank will not be providing credit monitoring services or compensation to its customers at this time.

The interesting thing for consumers to understand about this breach is that it is not the stuff of movies. In the cyberthrillers of pop culture, thieves hack into the computers and electronically deplete the accounts of their money, but that’s far from what transpired in this situation. Instead, the hackers went after personal data, which some experts say is far more valuable than the contents of your checking account. With the right information, thieves can wreak havoc with your identity or even sell your information on black market websites that deal in stolen data. It would seem nearly impossible to cover their tracks should they actually steal the money, but stealing personal data gives them a high rate of potential financial gain and a lengthy time period with which to use it before the breach is discovered and they’re shut down.

So if the hackers didn’t take consumers’ money, what are they doing with the information? Some experts have already said that the thieves in this case may use the data they garnered to launch spam and phishing attacks, presumably through email but possibly also through text message and phone calls. By selling the information to companies that send out mass-mailings on behalf of cheap advertisers, they stand to gain financially, and by using the information for phishing, they can attempt to trick consumers into falling for even bigger scams.

At this time, the investigations into the causes and the reach of this event are still underway. But the first thing that should come from this is the understanding that there’s no such thing as “too big to fail.” At the risk of oversimplifying an understandably complex issue, if JPMorgan can be breached, other companies need to take a serious look at the security protocols and the amount and type of data they gather.

Consumers, even those who do not bank with JPMorgan and whose data was therefore not accessed, should make sure that they are educated about their personal security and their online behaviors so they don’t fall for a scam or fraud attempt. Even being connected through email to someone who does business with JPMorgan could mean that your email address can receive these expected phishing emails, so make sure you know the difference between content that is safe to open and click, and what is fraudulent. The ITRC maintains a list of the top scams and phishing attempts on its website for reference.


If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit

It feels like new reports are coming out almost every day of major retail chains whose computers were hacked, leaving consumers exposed to identity theft and credit card fraud. But new information from the Secret Service may have found the connection between many of these recent data breaches.

Last month, the Secret Service released a report on its findings that may show a high number of companies were all breached by the same malware, known as Backoff. This program infiltrates the companies’ computers and point-of-sale credit card machines to gather information from the magnetic strips on the backs of credit cards. This method, known as RAM scraping, may have been put into effect from software that infected as many as seven different POS device manufacturers and distributors’ systems.

One of the most widely talked about recent breaches involved the retail chain Target, whose POS systems were hacked last year. That breach led to nearly 110 million consumers’ credit card information being accessed by criminals and sold on the internet to other thieves. The effects of that breach are still causing harm; Target has already paid a reported $148 million to clean up the damage, and credit card companies are still monitoring their members’ accounts. There have also been numerous pending lawsuits filed against Target for the breach given the news that the company was warned about vulnerabilities in their system by their own IT experts.

The Secret Service has yet to name the retailers that they believe were impacted by this malware infection, and hasn’t named the POS machine developers either. But they do seem to believe that the same malware has caused multiple major-name data breaches and that it began its malicious work in October of last year, right as the holiday shopping season began to kick off.

Interestingly, information from one of the leading cybersecurity experts in the country, Brian Krebs, links the spread of malware in data breach victims to employees who open and respond to phishing emails, those messages that contain a link that entice users to click it. By clicking the link, the employee accidentally downloads the malware and infects the entire system. In Target’s case, an employee at one of its third-party contractors who handles heating and cooling in the stores seems to have infected Target’s computers. A similar method of infecting computers can easily have happened at any of the recently breached companies.

While it’s up to the retailers to sort out how to investigate and clean up from a data breach, there are steps that consumers can take to protect themselves. The first lesson to be learned is almost too obvious: never, ever click on a link in an email unless you trust the source and can verify that it is not harmful. Also, keep your malware and antivirus subscriptions up to date, and always remember to download those pesky updates that your computer reminds you about from time to time. Those updates are helping your computer recognize and block the newest viruses or malware.

If you do suspect that you were a victim of a corporate data breach, remember to take the information seriously. When corporations offer credit monitoring services as part of their clean-up efforts, be sure to activate those subscriptions as soon as you’re informed. you do suspect that you were a victim of a corporate data breach, remember to take the information seriously. When corporationOf course, there’s no reason to wait for a company to discover it’s been hacked. Stay on top of your credit card statements, bank statements, and credit reports and watch for any suspicious activity so you can take action before things get out of hand, and report any strange purchases to your bank or card provider immediately.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit

The Georgia-based company Home Depot, with 2,200 stores nationwide, appears to be the most recent victim of a massive data breach which may have given thieves access to tens of millions of consumers’ credit card account information.

According to security blogger Brian Krebs, this data breach incident at Home Depot could be significantly larger than the Target breach due to length of time it went undetected.

In a message on its website, Home Depot has confirmed they are looking into some “unusual activity” and that it is actively working with its banking partners and law enforcement to investigate this payment card breach which, according to some, may have started as early as April.

This determination is based on the recent appearance of credit card information becoming available in underground forums and on various websites.  Once the credit card information has been stolen and put up for sale, it can quickly be transferred onto blank plastic cards for use by identity thieves.  Initially selling for $50 to $100 on the black market, this information quickly loses its value once the financial institutions begin to detect “unusual activity”.

While the extent of the damage has yet to be determined, there are serious concerns that the breach compromised account numbers and expiration dates through malware placed on the company’s point-of-sale credit card readers.  In this case, many industry experts believe it is the same Backoff Point-of-Sale malware which may have compromised the credit card information in the breaches that occurred at Target, Neiman Marcus, Michaels and the UPS store.

The U.S. Secret Service estimates this malware has infected more 1,000 U.S. businesses.  If so, all of the account information contained on the magnetic strips on the individual cards could have been retrieved by the hackers before the POS devices encrypted the information.

The following message has been posted on the Home Depot website:

“We’re looking into some unusual activity that might indicate a possible payment data breach and we’re working with our banking partners and law enforcement to investigate.  We know that this news may be concerning and we apologize for the worry this can create.  If we confirm a breach has occurred, we will make sure our customers are notified immediately.  For now, you should know the following:

First, you will not be responsible for any possible fraudulent charges.  The financial institution that issued your card or Home Depot are responsible for those charges should we confirm a breach. Make sure you are closely monitoring your accounts and reach out to your card issuer should you notice any unusual activity. If we confirm a breach, we will offer free identity protection services, including credit monitoring, to any potentially impacted customers. We’re working hard to get you the information you need as quickly as possible and will continue to provide updates as we learn more. If you have any questions, please call Home Depot Customer Care at 1-800-HOMEDEPOT (1-800-466-3337).”

What this means to you:

A compromise of payment information means that an unauthorized person(s) now has access to this information and could potentially use this information to make fraudulent purchases on the account(s) that were used when you shopped at Home Depot.

What you can do:

Monitor your credit and bank statements closely and look for any unauthorized activity.  Review each item, and keep an eye out for small dollar transactions. If you notice any fraudulent charges on your credit card or debit card, contact your financial institution (bank or credit card issuer) immediately.  Inform them that the charges are fraudulent and they will walk you through their remediation process.  Each financial institution has a different process.

Should you have any further questions or concerns about this event, please visit our website at or call and speak to an advisor for free advice at (Toll Free) 888.400.5530.

Corporate security breaches seem to make news headlines almost daily. Companies like Target, Sally Beauty, eBay, and more have recently been the victims of large-scale security breaches that resulted in millions of customers’ personally identifiable information being stolen. That information is usually credit card information—data which is easily and immediately profitable—but can also include names, addresses, emails, Social Security numbers, and more.

In the case of this month’s PF Chang’s security breach in which millions of credit card numbers were stolen, the company’s corporate headquarters wasn’t even aware of the hacking event until it was brought to their attention that the credit card numbers were now for sale on a website that specializes in this kind of crime. A site that authorities believe may be based out of Russia is selling entire batches of card numbers to eager thieves, and one of the unifying factors in all of the cards is that they were used in a PF Chang’s restaurant location between March and May of this year.

Before you go check out the site to see if your card is listed…don’t. First of all, you won’t see any credit card information without signing up as one of their underhanded customers and paying for card information. But even going to the site could open you up to malware that infects your computer and retrieves even more of your data.

But what do hackers actually do with the information they steal? They sell it to their own customers. Their customers pay that website for information such as your credit card number, then turn around and use your card number for either online purchases or by attaching your data to the magnetic stripe on the back of a blank card. They can even sell these replicas of your credit card and turn a quick profit.

This is yet another case of corporate theft in which millions of victims did nothing wrong but were still subjected to potential identity theft and financial fraud. Short of never using a credit card or debit card, there isn’t a lot that consumers can do to prevent this kind of breach. However, it is certainly an example of the kinds of diligence that consumers must practice in order to protect themselves as much as possible.

First is to always read your credit card statements carefully, looking for any unauthorized charges or suspicious activity. You can also sign up for alerts from your credit card company, which will send you an email or text message any time a charge is made without your card being present. Also, choosing to do business with credit card companies who have a proven track record of watching their customers’ accounts for this kind of problem is a good idea.

This kind of awareness can help minimize the damage from a security breach and give you all of the necessary paperwork to file a police report and clear this up with your credit card company. Remember to take all news of a breach seriously, and treat even the hint that your information was compromised as a serious issue.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit

The Wall Street Journal is the most recent in a long line of corporations that have fallen victim to intentional hacking events, but what sets the WSJ apart from some of the other victims is its quick response upon discovering the breach.

Despite not having much verification as to what information was accessed and how widespread the infiltration may have been, the paper’s parent company, Dow Jones & Co., took its major computer systems offline, including even its photo data base, in an effort to contain any possible damage.

According to sources like Forbes and PC World, the Wall Street Journal and Vice magazine were only the most recent victims of the same Russian hacker, a man who calls himself “w0rm.” This hacker also recently broke into CNET, with the same motive: selling user information from his own online store. His asking price for access to each of these companies’ databases? One Bitcoin, the digital cash currency that is currently valued at around $620US each.

To back up his statement, w0rm has posted screenshots of his handiwork to social media sites like Twitter and been found bragging on the site about his other cyber escapades.

But in this case, WSJ handled it correctly by taking down their systems the moment they learned about the breach. All too often, companies who’ve fallen victim to a hacker take weeks to investigate the issue before ever even telling their customers, the very people whose data was accessed. By then, the potential for serious damage has come and gone, and the victims were unaware that their sensitive and identifiable information had fallen into the wrong hands. This type of quick response from WSJ demonstrates that businesses are becoming more aware of the dangers of cybercrime, and have plans in place to respond.

A spokesperson for the newspaper has stated that there appears to be no threat to the WSJ’s customers; if anything at all, they believe the hacker seems to have only accessed the customers’ email addresses and blocked passwords. That wouldn’t be enough information for identity theft or other forms of fraud, but would make the overall databases valuable when sold to other hackers. These hackers then use those email addresses to distribute spam, malware, and viruses to a large user base, and they’ll happily pay people like w0rm for the privilege.

This is where the public comes in. By ensuring that they’re very careful with their online behaviors, users can help protect their computers and their accounts from harm if their information was sold.

First, making sure their anti-virus software is installed is only scratching the surface of protection. Those pesky little updates that request permission to run after the computer boots up are actually designed to block the most recent threats; these threats are created practically every day, so companies produce regular updates in response to new threats. By clicking out of the update without installing it, users are actually leaving their computers vulnerable to the latest hacking tools.

Also, smart users need to remember not to fall for emails that contain strange messages or links. Even emails that come from people they know could contain malicious links, since the hackers who purchase the names on the WSJ database will use those accounts to send spam to those individuals’ address books. The recipients of the resulting second-level emails will see a message that seems to have originated from someone they know, so they’re more likely to click on a harmful link.

Finally, users must remember to avoid clicking on popup messages that claim to clean up their computers or inform them that their computers have been infected. Those are typical adware and malware scams, and clicking on the button will only install and activate these harmful programs. As greater awareness of the risks associated with computer use spreads to various sectors, hopefully future cybercrimes will end the same way: with very little damage or inconvenience to the victims.

This blog is a part of the ITRC’s ongoing commitment to spreading knowledge and awareness of data breach issues.  This work would not be possible without the generous support of IDT911 and their commitment to keeping the public informed regarding this issue.  The ITRC Data Breach Report is available weekly and all information is free to the public.

Smaller businesses are at risk of ID-theft, but only a small percentage of them have policies and procedures in place to protect against online intrusions. Here are some tips to be prepared.

If a data breach can take down Target’s CEO and cost Target tens of millions of dollars (so far) and the bad guys can crack into eBay’s data as they did just days ago, isn’t this a big red flag of data danger to America’s backbone: small business? Hopefully, the answer is a resounding “yes,” because Symantec’s sobering “Internet Security Threat Report 2014” makes clear that the situation is fraught with danger. Symantec wrote, “Cybercrime remains prevalent as damaging threats from cyber-criminals continue to loom over businesses and consumers.” When we think of data-breach events, we often think of outside hackers. The Symantec Report said that “hacking was the leading source for reported identities exposed in 2013,” causing 34 percent of data breaches.

This means 66 percent of all data breaches were not related to hacking, with other causes of data breaches reported as accidental release of information (29 percent), theft and/or loss of computers and drives (27 percent), insider theft (6 ercent), unknown (2 percent), and fraud (2 percent). Data breaches are a growing risk-management issue — maybe as, or more important, than traditional risk areas. Small- to medium-size businesses are at risk, just as large organizations are, with an ever-increasing volume of customer, employee, and proprietary information acquired and all very desirable to ID-theft criminals.

Yet only a small percentage of companies with fewer than 250 employees have policies and procedures in place to protect against online intrusions, according to a Symantec survey report released in 2013. Earlier this month, I spoke at the Police Officers’ Credit Union Conference in Las Vegas. In my remarks, I said that “no one company can ever prevent itself from experiencing a data breach and that education is the number one tool for protecting data.”

Here are my plan recommendations for the data breach that none of us wants:

1. Breach source. Determine the source and make sure the data compromise is isolated and access is closed. If you cannot determine the source of the breach, you should engage a forensic-investigation company, preferably one that is already familiar with your network topology and information-security and governance policies and procedures.

2. Breach assessment. Determine the scope of the data breach and the privacy and data-security regulatory requirements associated with the type of records for the states in which you conduct business.

3. Response plan. Include internal employee education and talking points, public-relations news releases, customer education and resources; the small business or consumer solution(s) to be considered; and the content and timely release of notification letters.

4. Protection plan. Include the small-business or consumer-protection services to be offered to the compromised record group and the confirmation of professional call-center and recovery-advocate support services.

5. Breach victim resolution plan. Provide access to professional certified identity fraud-recovery advocates that will work on behalf of the victims to mitigate and resolve the issues caused by breach.

Mark’s most important: Get serious about an advance plan for ID theft or a data breach or be prepared for fines, penalties, class-action lawsuits, brand damage and/or loss of revenue that may put your business seriously at risk.

Mark Pribish is vice president and ID-theft practice leader at Merchants Information Solutions Inc., a national ID-theft and background-screening provider based in Phoenix. Reach him at

This article was originally published on and republished with the author’s permission.

Once again, news has circulated of a missing laptop that may lead to the access of personally identifiable information for several thousand students in Massachusetts and Vermont. Unlike the recent Sterne Agee breach in which an employee’s laptop was simply lost, this incident involves the intentional theft of a laptop from the employee’s vehicle.

In this particular case, the billing company—New Hampshire-based Multi-State Billing Services—allowed a laptop computer containing the complete identities of almost 3,500 thousand public school students to be taken from their facility. The laptop was later stolen, and despite the password protection to turn on the computer, the information it contained was not encrypted.

This information includes the names, addresses, birthdates, Social Security numbers, and Medicaid numbers of nearly three thousand students in grades kindergarten through twelve in nineteen different Massachusetts school districts, and more than four hundred students in Vermont schools. The information, presumably gathered to process reimbursements to schools whose special education students receive services that are covered under Medicaid, is not believed to have been the target of the theft, but rather the physical laptop itself.

And that’s what presents the problem. In cases of cyber crime or data breach, companies have long followed the protocol of informing the possible victims so they can take steps to protect themselves. Companies have even started purchasing insurance policies to cover the cost of cleaning up after a data breach and securing their clients’ information. Once hackers steal private information, the credit reporting agencies will freeze those customers’ accounts for free. But in the case of a stolen laptop that just happened to contain identifying information, the credit reporting agencies do not necessarily waive their fees to put a hold, freeze, or alert on someone’s account, especially a child’s.

One of the chief issues is the access was given to the information in the first place. It was the job of MBS to secure the laptop and the information, and certainly to encrypt the data, not just password protect the computer itself. It would be interesting to know why the laptop ever left the office in the first place and why it was left in someone’s car.

But parents also have to protect themselves and their children by remembering who is entitled to the information. While the school was billing Medicaid for legitimate services and using a widely known billing contractor to handle the paperwork, there is no clear connection between the Medicaid services and the Social Security numbers. The Medicaid numbers had to be provided, and it is possible that the Social Security number had to be given to the Medicaid office when the child was first signed up, but as far as the school or the service provider needing the SSN, there’s no clear reason for it.

Often, requesting a Social Security number is simply a holdover from the days when it was commonly used as an identification number. Now that the dangers of doing so have become clear, many organizations are turning away from the practice, especially considering it’s actually a violation of the Social Security system. The SSN is not to be used for identification or proof of citizenship, as those are not its intended purposes. Any organization which requests your number or your child’s number, without doing so for employment or taxation, is not necessarily entitled to it. Once a breach occurs, though, it’s important to follow through with the help that is offered. In this case, MBS is paying for up to three years of fees on the children’s credit reports, should the three different reporting agencies not waive the fees associated with freezing and unfreezing the reports.

This blog is a part of the ITRC’s ongoing commitment to spreading knowledge and awareness of data breach issues.  This work would not be possible without the generous support of IDT911 and their commitment to keeping the public informed regarding this issue.  The ITRC Data Breach Report is available weekly and all information is free to the public.

Some customers of the financial planning and investment company Sterne, Agee, & Leach received an ominous letter in the mail this week. Apparently, sometime between May 29thand May 30th of this year, a data breach occurred within the company that resulted in the loss of customers’ personally identifiable information, data that included names, addresses, account numbers, and Social Security numbers.

How did this breach happen? The old fashioned way. Someone took a laptop home from work and lost it. While Sterne Agee has been able to figure out that the laptop has not been used to access the servers at their company headquarters where the rest of their customers’ data is stored, the information that was made available to anyone who finds the laptop is out there in the open, all because the customers’ personal information was stored on the laptop itself. So far, they haven’t been able to determine whether or not the laptop has been turned on, or whether the files containing customers’ private information were opened.

So what went wrong? How could the customers have prevented this personal data breach? The simple answer is, they couldn’t have. Short of doing research before signing up with Sterne Agee and finding out their corporate policies on employees being allowed to bring laptops home from the office—or other files, for that matter—the customers couldn’t have prevented their personal information from being shared.

Since customers cannot sign up to invest or save money that will earn interest without providing their full tax identities for reporting purposes, this is one of those times when handing over the Social Security number was required in order to do business. Also, this wasn’t a malicious hacking event or cybercrime that could have been prevented through better technology. It was a simple circumstance that has happened to all of us at one time or another.

The problem here is the non-compliance with best practices. It’s astounding that in 2014 many businesses and corporations still don’t have full safeguards in place. First, the laptop really shouldn’t have left the office, which does admittedly defeat the whole purpose of it even being a laptop. If there is actually work that needs to be done outside of the office or business that needs to be conducted on a portable computer, then the laptop should have been encrypted and it should never, ever store customers’ information. The problem in this scenario wasn’t that an employee took a computer out of the building and then lost it; that could have happened to anyone. For that matter, the computer could have been stolen right off the employee’s desk by a thief. The real problem is that the computer stores private information in the first place.

Fortunately for its customers, Sterne Agee recognizes the full potential of what harm this one event can cause. The letters that customers received about the breach provided step by step instructions for what action to take to protect themselves in the (hopefully) unlikely event that whoever has the computer now realizes what a goldmine he’s sitting on. The first step is to sign up for the credit monitoring services that Sterne Agee has agreed to provide. That membership will give the customers copies of their credit reports, will cause an alert to be sent to the members if any suspicious activity occurs on their credit, covers the members with $1 million worth of insurance for issues that stem from this breach, and more.

The letter also points out that customers need to stay on top of their credit reports and request further copies over a period of time; the reporting agencies and their addresses are provided in the letter for consumers’ convenience. Finally, the letter suggests taking steps that the ITRC has supported for quite some time, which is to put a fraud alert or even a security freeze on their credit files, which will thwart attempts to open new lines of credit or accounts.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit

Cellular and digital service provider AT&T has had to inform an undisclosed number of customers of a security breach in which three contracted workers accessed personally identifiable information. Apparently they were intent on finding the correct information needed to “unlock” cell phones, so one assumption from the company is that only customers whose phones have been stolen are under threat. These workers were authorized to access AT&T’s customer information, but not for these purposes.

AT&T is one cellular service provider that allows its customers to “unlock” their phones from AT&T’s network in order to switch to a new service provider. This is actually a very generous policy on the part of the phone company, because it means a customer whose service contract has expired is free to take his phone to another company without having to purchase a new one or sign a contract to receive a discounted phone.

However, in order to “unlock” his phone from the network, the customer must be able to provide all of his secure data to the AT&T representative who is assisting him. This prevents thieves from stealing a phone, calling the company to unlock it, and initiating service elsewhere.

The company believes the contractors were attempting to steal the necessary information to unlock previously stolen phones by looking up those specific customers’ accounts. Unfortunately, that information includes addresses, Social Security numbers, and more, so the threat of a full identity theft is still possible.

While the company has not announced how many customers this breach affected, California law requires a company to inform the state attorney general if the number is higher than 500, and AT&T has alerted the AG’s office of this breach.

The company mailed letters to the customers who may have been impacted by this, outlining the steps they should take at this point. Unfortunately, the breach occurred in April of this year, and while AT&T has not explained why it waited so long before informing the public, the affected customers will be granted one-year paid access to a credit monitoring service in light of the loss of personal information.

What makes this data breach most troubling is the exposure of Social Security numbers. While many of the breaches that have been making major headlines recently have a much larger number of individuals affected, this breach has the potential to be much more dangerous.  Breaches where card information is exposed are annoying and can lead to financial identity theft and fraud, but once a consumer knows that their card has, or has the potential to be used fraudulently, they can cancel the card and get a new one.

When a Social Security number is exposed there is the potential for serious identity theft to occur including medical, governmental and criminal identity theft.  These types of identity theft, along with the ability of identity thieves to continue to use the Social Security number to open up new lines of credit, are a lifelong problem and a year of credit monitoring is not going to be sufficient to help victims who have their Social Security number used by identity thieves.

That being said, let’s hope that the purposes of these specific thieves were to just “unlock” cell phones and not for far more nefarious purposes.

This blog is a part of the ITRC’s ongoing commitment to spreading knowledge and awareness of data breach issues.  This work would not be possible without the generous support of IDT911 and their commitment to keeping the public informed regarding this issue.  The ITRC Data Breach Report is available weekly and all information is free to the public.

It’s kind of melodramatic to say that identity theft isn’t a matter of if, but when, but watching news reports and talking to friends and family members who’ve fallen victim to a personal data breach can make it feel like that’s the case. Having a plan of action in place for a cybercrime or hacking event can help you feel like you know what to do should the seemingly-inevitable idea actually happen.

For individuals and their personal data, your plan should involve knowing what to do to both prevent identity theft and recover from it quickly should it happen. Steps to prevent a data breach should include securing your accounts with strong passwords, changing those passwords frequently, safeguarding your information, and shredding sensitive documents before discarding them. You’re more likely to discover you were hacked in a timely fashion if you’re staying on top of the documents and reports that come to your house. Routine checkups on your credit report with the three reporting agencies from time to time can also help.

But what do business owners need to plan for? What are the steps you must take if your business is hacked, and you have vendors, suppliers, and customers all wondering if their sensitive information—which a hacker took control of through your company’s network and computers—is safe?

The first step is to take a multi-layered approach to your network security. Have you installed antivirus and antimalware software? Great! That’s only one layer, though. Do you have email scanning software to check incoming and outgoing emails for potential threats? Do you have web blocker capabilities that alert you if any of your computers is accessing a website that may be designed to steal data?

Next, you need working relationships in place with outside agencies who will help you in the event of a data breach. The time to learn the name of the agent or officer who can help you is not while the rest of your staff is fielding phone calls from your customers, all of whom are screaming that their accounts were hacked. Check in with different reporting agencies from time to time to make sure that your plan is up-to-date and that you’re aware of any new regulations or guidelines.

While you’re checking on your working relationships with these agencies, go ahead and put in a call or contact letter to your company’s attorney and get a checkup on your liabilities and the legal ramifications of a data breach. Again, this is not a step to take after the fact.

Finally, one of the most important things you can do is publicly acknowledge a breach as soon as you’re aware of it. Cybercrimes are a known and understood occurrence, and the public understands that hackers are very good at what they do. But the longer you sit on information, the longer time frame identity thieves have to wreak havoc with your customers’ personal information. By immediately getting the word out, you’ll enable your customers and vendors to lock down their own personal data to prevent further damage. Keeping quiet about it will make you and your company look as though you had something to hide, which can have a lasting negative impact on your company.

If you found this information helpful, you may want to consider taking part in the Identity Theft Resource Center’s Anyone3 fundraising campaign.  For more information or to donate please visit