What to do if your personal information was in a data breach

if you reuse passwords, it would take only one breach for bad actors to gain access to all your other accounts

data breach

8 December 2023

On October 28th this year, the British Library sustained a fatal cyber-attack from the ransomware group Rhysida. The attack downed the library's networks and online services, and some 890 million records of personal data were stolen and put on for sale. 

This was one of the 114 publicly disclosed security incidents in October 2023, followed by 470 in November 2023.  

In light of the recent British Library data breach and increasing number of similar incidents, here is a simple guide to protect your personal information online after an incident. 

 

Be cautious of fake breach emails  

Organizations are obligated to duly notify users of a data breach if it is likely to adversely affect their rights and freedoms. Some bad actors take advantage of this fact and send phishing emails under the guise of a notification of a breach.  

Always make sure if a data breach happened and check for signs of phishing in the email, such as:  

  • Suspicious sender address 

  • It comes from a service you never signed up to 

  • A sense of urgency to take action, such as to open a link to change your password 

Identify what type of data was stolen 

If you received a legitimate email notifying you of a data breach, do not ignore it! Read through the information to identify what kind of data was leaked. This could be your email address, postal address, or telephone number.  

In some cases, it’s more serious, such as your debit/credit card details. In this case, contact your bank to notify them of the breach and freeze your card. If you lost money, you can also report it as a crime to Action Fraud, the UK's reporting centre for cybercrime. 

 

Secure your logins 

If you signed up for the breached service, you should also change your password to the service immediately. Passwords are encrypted when stored in databases, but once they are leaked, it is easy for hackers to use computing tools to crack the encryption algorithm. 

Set a strong, unique password that you have not used for other services. This is particularly important because if you reuse passwords, it would take only one breach for bad actors to gain access to all your other accounts you use the same password for.

Requirements for a strong password are:  

  • 10~12 characters minimum 

  • Use of uppercase and lowercase letters and special characters 

  • Example: m#P52s@ap$Vi 

  • Also consider using the NCSC’s 3 random words rule, ex) RiskyRedWillow!457 

 

Additional proactive measures  

  • Check if your email address or password have appeared in a data breach at https://haveibeenpwned.com.  

  • Practice cyber hygiene and reduce your digital footprint by deleting accounts you do not use and resetting passwords periodically.