Data Breach Advice – What to Do

This page gives guidance on what to do in the event of being involved in a Data Breach. You may find out about involvement through direct contact from an organisation, from your Password Manager or as a result of a notification from a service such as Have I Been Pwned.

Data Breaches may contain personally identifiable information such as names, mobile phone numbers, email addresses, addresses, geo-location data, IP addresses, passwords used to access the site or service and financial data. Exact information in each record varies. It is important to note that even if a password was encrypted, once involved in a Data Breach it should be considered insecure and you should update that password everywhere it was used.


Emergency incidents

Should there ever be any event whereby lives or safety are at risk, please contact the Police by calling 999.

Non-emergency Cyber Incidents

Should there be a cybercrime linked to your online account(s) and/or associated fraud suspected to have resulted from the data breach please report this to Action Fraud by calling 0300 123 2040. Action Fraud are the national fraud and cybercrime reporting centre for England & Wales.


Physical Security Advice

It is extremely rare that a Data Breach results in any kind of physical threat or danger. The original criminals who stole the data are often outside of the UK and have no interest in individuals in this way. However, this data is often sold or traded with other criminals. If you would like more advice on your physical security there is plenty of content at:

If you are a firearms or shotgun licence holder you should also consider the guidance and requirements associated with securely storing the weapon. For further advice and guidance, contact your local Firearms Licensing Team.


Cyber Security Advice

It may be tempting to search for and download a copy of the data from the Data Breach yourself for reassurance.

You are strongly recommended against doing this. Aside from ending up in possession of stolen data belonging to others, there are sometimes fake copies of such data circulating on the internet and dark web, containing malicious files (e.g. viruses) that can cause additional damage to your computer / network, online accounts and personal data.


Protecting Against Cyber Risks

Passwords

Passwords continue to remain one of the greatest threats when it comes to cybercrime. A common attack method by criminals is exploiting passwords that are too short, as well as re-using the same password across multiple online services.

Reassurance is often given that passwords were ‘encrypted’, but encryption is not always a guarantee as some techniques are imperfect. The shorter the password the more likely it may eventually be breached. Consider even an encrypted password that has been stolen as no longer secure.

After Data Breaches, criminals will often try and access the email account involved using the password in the breach, before moving onto other online services.

Examples include banking, retail (e.g. Amazon, eBay, Netflix) and social media (e.g. Facebook, Instagram, Snapchat, Twitter) in the hope that the same email address and password combination will work because of password re-use.

As such, it is essential that users involved:

  • Change the password on the breached service – even if the intention is to never use the platform again – this ensures the account is secured.
  • Change the password on any other online services or websites where the same password is used to another strong and unique password.
  • If not already, start using a Password Manager to ensure that every online service used, has a strong and unique password, to minimise risks.
  • Implement Two-Step Verification (2SV) or Two-Factor Authentication (2FA) on all online accounts where available (see below).

For more advice on how to implement stronger passwords, see the Passwords section on the South-East Cyber website.


Two-Step Verification / Two-Factor Authentication

Current best practice and cyber security advice given globally to protect online accounts is to enable Two-Step Verification (2SV) or Two-Factor Authentication (2FA) for all accounts that support it.

Most people will now be familiar with 2FA as a result of online banking. When you try to login on a new device, or set up a new payee, you are required to type a short code that is additionally sent by text message or through an app in order to do so.

2FA protects against losing control of online accounts. Even if criminals get hold of a username / email address and your password, they don’t have the code to access the account from their ‘new device’ without your mobile number or authenticator application.

It is an essential extra layer of security that can prevent a significant amount of personal cybercrime seen nationally.

One of the most critical accounts you have is your main, personal email address. This is where password reset requests for your other online accounts will come. If a criminal gains access to your email account, they can systematically request password resets for all of the accounts they find. 2FA will protect your email account.  Following this account, then ensure the banking, retail and social media accounts are similarly protected.

If an account doesn’t support 2FA, seriously consider changing to a provider who does.

For more information on 2FA, please read the 2FA guidance on the South-East Cyber website.2


Phishing

Individuals and organisations whose details have been included in data breaches are often at greater risk of being targeted with phishing.  This is the sending of unsolicited messages by email, text message or even in telephone calls they try to trick you into doing something you shouldn’t – such as clicking on a link, opening a malicious document, filling in personal information on an online form or giving this information over the phone.

While most people are aware of mass phishing, which may be quite obvious.  Targeted phishing is sophisticated and involves a significant amount of psychological trickery.

Vigilance and cynicism are the best weapons against phishing. The common tactics used by criminals rely upon:

  • Authority – persuading you they are somebody such as the Police
  • Pressure – pushing you to do something in a hurry, so you don’t have time to think
  • Familiarity – telling you that you know the same person, or that you should know about the thing they are talking about – such as this data breach
  • Curiosity – relying on you being intrigued as to what they are talking about
  • Reward – pretending to give you something for free, or that they can help you resolve a problem
  • Knowledge – giving you a snippet of information they know from a data breach, such as your password, such that you think they have compromised your computer

Occasionally criminals impersonate the Police after an incident like this.  There is no problem with being cynical and ensuring the identity of the person stating that they are Police are verified, before providing any information.  If in doubt, contact the Police on the non-emergency number – 101.

You can help protect others by reporting phishing:

Forward emails to report@phishing.gov.uk

Forward text messages to 7726 (it spells SPAM on a keypad)

While updates are not provided about every report, the National Cyber Security Centre and other partners will act to take down websites and services associated with scams and phishing as soon as they can.


Privacy

Individuals often share varying amounts of their personal information online that can also assist cyber criminals. Social media companies encourage society to add as much information about themselves as possible. Unfortunately, criminals will use this information to target you by personalising phishing as well as guessing things like password reset answers.

Most social media services have the ability in the settings pages, to adjust what is openly shared with anyone and not one of your connections / friends. Use guides from trusted partners like Internet Matters and Get Safe Online to maximise privacy settings.


Financial Risks

If the data breach involves sensitive personal or credit data, you should consider signing up for credit score alerts from free providers. This will let you know immediately if someone tries opening a financial account in your name. There are three credit agencies in the UK so you may need to sign up to more than one service to access the three credit scores:

Once active, CIFAS will place a flag alongside your name and personal details in their secure National Fraud Database. Companies and organisations who are signed up as members of the database will see you’re at risk and take extra steps to protect you, preventing fraudsters from using your details to apply for products and services.


Land Registry Property Alert Service

In very rare cases, fraudsters have managed to obtain a change in title deed for residential property. While we have no knowledge of any instances where this has come about after a Data Breach, this is another free protective service you may wish to register for:


For More Information

For more information about staying secure online, we have comprehensive guidance on personal cyber security on the South-East Cyber website:

The National Cyber Security Centre also have information on their Cyber Aware pages: https://www.ncsc.gov.uk/cyberaware/home