Your Data Was Breached. Here Is What to Do Next.
You get an email from a company you deal with. Someone has accessed their systems and your personal information was exposed. Maybe it is a bank, an online account, a government agency. You did nothing wrong, but now your name, contact details, or financial information is out there. It is an unsettling feeling, and most people do not know where to start.
The breach itself is not in your hands. But what you do in the hours and days after it matters. Acting quickly reduces the window criminals have to use your information. Doing nothing - or waiting - is when real damage tends to happen.
The first thing to do is change your password for the service that sent the notification. Then think about whether you use that same password anywhere else. Most people do, and that is exactly what criminals count on. Change those too. A password manager makes this far less painful - you create one strong master password and it handles everything else.
Once passwords are sorted, turn on multi-factor authentication (MFA) for the breached account if you have not already. MFA means that even if someone has your password, they still cannot get in without a second verification step - usually a code sent to your phone or generated by an app. Enable it everywhere you can.
Read the breach notification carefully. It should tell you what type of information was exposed. That shapes your next steps. If payment details were involved, contact your bank straight away and ask them to issue a new card. You are not automatically liable for fraudulent charges if you report it promptly, but the sooner you act the better. Keep an eye on your accounts over the following weeks and flag anything that looks wrong.
If personal identification information was exposed - things like your IRD number, date of birth, or address - consider placing a credit freeze with credit reporting agencies. This stops anyone from opening new credit accounts in your name while the freeze is in place. You can lift it yourself when you need to apply for credit. It is also worth checking whether your personal details have surfaced on the dark web, which can happen weeks or months after the original breach.
Expect an increase in phishing attempts after a breach. Criminals buy and sell breached email addresses, and they will use what they know about you to make fake emails look convincing. Be more sceptical than usual about unexpected emails, even ones that look like they come from familiar senders. Go directly to websites rather than clicking links in emails. If something feels off, trust that instinct.
Keep your devices and software up to date. Most successful attacks do not exploit exotic weaknesses - they take advantage of known vulnerabilities that were never patched because updates were skipped. Operating systems, apps, browsers, and the firmware on routers and printers all need regular updates. Automating this removes the effort. It is also worth understanding that the consequences of a breach can continue long after the incident itself, which is why ongoing vigilance matters.
If you want to report a breach or get guidance specific to New Zealand, CERT NZ is the place to start. For privacy breaches involving personal information, the Office of the Privacy Commissioner also has guidance on what your rights are and what the business that was breached is required to do under the NZ Privacy Act 2020.
For your business, a breach involving client data carries its own obligations. If you are not sure whether your current setup gives you enough visibility into threats - or whether a breach at a third party could ripple into your own systems - that is worth getting looked at. There are also practical steps practices can take to reduce the damage when a breach does occur. ITstuffed works with professional services businesses across Canterbury to close the gaps before they become incidents.
ITstuffed offers a 15-minute IT Fit Check if you want a quick read on where things stand. Book one at itstuffed.co.nz/booking.