Citi Hack Attack: 6 Things You Must Do Now

Last Updated Jun 9, 2011 3:12 PM EDT

Even if you don't have a credit card with Citibank, their latest security breach that exposed personal information about some 200,000 customers should serve as a warning.

As the world becomes increasingly electronic, the exposure of your personal data becomes ever more likely. In fact, in the past year and a half alone, reported security break-downs at credit card companies, doctors' offices and retailers have put more than 34 million individuals at risk, according to the Privacy Rights Clearing House. Since 2005, some 533 million personal records have been exposed -- enough to expose every adult American to identity theft twice.

If your personal information has been exposed, you need to act quickly to protect both your money and your credit. Here are the six things you need to do.

Determine the type of breach: Find out exactly what data was exposed -- was it credit card numbers; Social Security numbers; passwords; email addresses? Each answer suggests a different course of action.

Establish a fraud alert: If your Social Security number was stolen, you need to immediately call the three major credit reporting bureaus and place a fraud alert on your file. (If you don't think you'll want to apply for credit in the near future, you might even place a "freeze" on your file, which precludes the possibility of anyone opening credit in your name.) The fraud alert requires that you be contacted before any company provides new credit on your account. (It's wise to put your cell number as the contact, just in case you want to get instant credit at a retailer while the fraud alert is in effect.) The numbers to call to establish a fraud alert:

  • Equifax: 888-766-0008
  • Experian: 888-397-3742
  • TransUnion: 800-680-7289
Watch your statements: Citi's data breach apparently exposed some 200,000 credit card numbers and email addresses, but did not expose these customer's Social Security numbers, nor security codes. Nonetheless, a credit card number is often enough to make purchases, so anyone notified of the breach needs to be meticulous about checking their monthly statements. If you see an unfamiliar charge, call and find out what it is. If it's not yours, report it immediately.

If your credit card doubles as a debit card, be even more diligent with your bank account, checking it daily to make sure it's not drained before you get a statement. Your liability for fraudulent charges is limited with both credit and debit cards. But it can take time to get a bank to restore funds in your bank account, and that can cause real problems for you in the interim. (See the Dangers of Using a Debit Card.) So watch carefully and act promptly.

Beware "spear" phishing: The Citi crooks got names and email addresses, so victims can expect sophisticated phishing attacks, that use your name, your credit card number and your email in an effort to get you to expose more personal information. Do not reply to any email requesting "verification" of your account. If you think the bank is legitimately contacting you, contact them directly from the contact information on the back of your card. DO NOT CLICK THROUGH AN UNSOLICITED EMAIL. You may know not to fill in personal data when you've been directed to a site from an unsolicited email, but you may not realize that by simply visiting some sites, you'll open your computer to having malware installed on your machine that can collect and store your passwords and account numbers.

Get your credit report: You have the right to one copy of your credit report each year from each of the three major credit bureaus. That means you can get a credit report every four months, if you want to.

If you've never been a victim of a security breach, getting a report once annually is plenty. But if you're at risk, put it on your calendar to request these reports once every four months. Get the free report at To get them every four months, you'll need to pay attention to which company provided the previous reports, requesting first from, say, Equifax, and then moving through to Experian and TransUnion over the course of the year.

Review and correct: Innocuous inaccurate information--things like the wrong credit limit, or a closed account showing as open -- isn't necessarily a warning sign, but it still should be corrected. Write the correction in the margin and send it back with a note saying you'd like a new report as soon as the item has been fixed.

But if you detect warning signs of identity theft, you'll need to do more. What are the red flags?

  • An unfamiliar home address
  • credit listed on the report that you've never had
  • inaccurate names or permutations of your name
  • another Social Security number connected to your account (that does not belong to your spouse).
If any of these items appear on the credit report, report the fraud to both the credit bureau; the credit issuer (if applicable) and the police.

Kathy Kristof is the author of Investing 101 and a contributing editor at Kiplinger's Personal Finance magazine.
More on MoneyWatch
Best and Worst Airlines for Reward Flights
Best Gas Credit Cards
5 Dangers of Debit Cards
How to Become a Rich Landlord
6 Signs You Should Never be a Landlord
7 Reasons to Buy a Home Now