Change passwords if the stolen data included accounts that required a password.

If credit card numbers were in the data, tell the issuers what happened and request new cards and new account numbers.

You can ask the credit agencies to configure your accounts such that any attempt to establish a new line of credit -- get a loan, get a credit card, etc. -- in your name will be suspended pending contact with you to verify you, not an identity thief, made the request.
posted by justcorbly at 11:19 AM on March 24, 2016

I agree to freeze your credit. I would add that if you do not have 2 step authentication on your accounts that have personal information, to the extent you can, add it. Mostly, it is a one time hassle but adds another layer of protection against hackers. Only necessary to request new card #s if they have your current card #s, but I doubt payroll had that in its database. I would alert my bank and ask them for advice if you have direct deposit and the file stolen has your ABA # and account #. You want to avoid them making ACH payments to themselves.
posted by AugustWest at 11:44 AM on March 24, 2016

Please use the opportunity to raise hell with your Congresscritters about the fact that so little information is required to commit identify fraud. You can and should monitor your credit report but the only real solution will come about when the legal liability is put on lenders.

Nthing locking your credit.

Consider checking the password reset mechanisms of your financial accounts. Most have gone to something reasonable that would require also getting into your email, but a few still might allow resetting it with just your account name and last four of your social.
posted by Candleman at 11:50 AM on March 24, 2016

I can't tell you how many times my data has been hacked like that. Your company will pay for freezing your account and for credit monitoring, I suspect that they even put that in your notification email.

I'd say it's about a two. No big deal, mildly inconvenient.
posted by Ruthless Bunny at 11:52 AM on March 24, 2016

Apparently this has been a common attack happening recently and Reddit's /r/personalfinance has had several threads on it recently. This one was from two days ago and it has a lot of great information such as remembering that your company is looking out for their own best interests, not yours. So keep that in mind when they ask you to sign anything.
posted by Deflagro at 11:52 AM on March 24, 2016

I would change any password you used in a compromised system, and if one of those passwords is for an email account, any password that can be changed using that email. It's probably not a bad idea just to change everything. Since you'll be doing that, it's also a good time to switch to a password manager if you don't already have one. I use LastPass but there are many options these days.
posted by feloniousmonk at 12:05 PM on March 24, 2016

Monitor your cellular account, if you have one. Oftentimes purchases and changes to your plan (billed to you but mailed anywhere the scammer requests!) can be made with just your cellular number, name, and the last 4 digits of your social (they don't even need the whole thing), right over the phone.
posted by blue suede stockings at 12:07 PM on March 24, 2016

Along with your credit freeze, if you haven't filed your taxes for 2015, do so as soon as possible.
posted by ldthomps at 12:38 PM on March 24, 2016

The reddit identity theft wiki has a list of steps to worth through.
posted by caek at 1:10 PM on March 24, 2016

Idthomps is right, if you haven't filed your taxes get that done ASAP. Part of the reason that data thieves seem to be going after withholding and such in addition to more typical identity theft data is to commit tax return fraud. I've read more than one account where people went to file their taxes this year and the IRS told them their returns had already been filed.
posted by i feel possessed at 5:35 PM on March 24, 2016

Data point from someone who went through identity theft: Unless you are 150% positive you will not be, or need to be, applying for new credit / moving / etc. anytime in the next few years, I would opt for a fraud alert on your file instead of a complete freeze. There's a distinct difference, and a complete freeze is a complete pain in the ass to deal with if you should ever need to have a third party look into your credit or when you want or need the freeze removed. Yes, there are supposedly options where you can manage those things by getting PINs that lenders can use, etc. but in my experience, none of them worked. I ended up having to snail mail heaps of documentation and waiting two or three weeks to get it removed. YMMV.

With a fraud alert, you still won't be able to get instant online approvals and the like, but a simple phone call is usually all it takes to proceed with your activity. It should be sufficient enough to cover all but the very worst cases of ID theft which it doesn't sound like you have.

Also make sure that when you place a fraud alert / freeze that you explicitly specify the phone numbers you want to be contacted at for verification.

Nthing filing your taxes asap if you haven't already.
posted by SquidLips at 10:11 AM on March 25, 2016

This thread is closed to new comments.