What to do if you get a data breach notice from Conduent or another company

If it feels like data breach letters are arriving more often than junk mail, you're not imagining it. 

A new report from the Identity Theft Resource Center says data breaches hit a record high last year, but many of the notices consumers receive still lack clear guidance on what to do next.

A survey from the ITRC found 80% of U.S. consumers received at least one data breach letter in the past year. 

For many, the repeated alerts create a sense of helplessness. But James E. Lee, the ITRC's president, says consumers still have power to protect themselves — even if their information has already leaked.

"It seems like it is a situation where you just want to throw up your hands, but it really isn't," Lee said.

While you can't reverse a breach, Lee says you can limit what criminals are able to do with your information.

Read the letter

While you might be inclined to just toss it aside, Lee says the notice may contain important details about what was exposed and what the company is offering to help protect you. Many businesses provide free identity protection or credit monitoring, and consumers won't know about it unless they read the letter.

However, he notes that not all notices are equally helpful. Some include specifics; many don't.

Freeze your credit

Lee says the single most effective action consumers can take is to freeze their credit.

"Monitoring is great, it tells you what happened, but it doesn't stop anything," he said. "A credit freeze does. It's easy, you can do it online, and it takes less than two or three minutes."

He also urges parents to freeze their children's credit, calling minors "just as at risk" as adults.

Change your passwords and don't reuse them

Lee recommends updating passwords on any affected accounts and adopting passkeys, a newer login technology that can't be stolen in a breach because it's not stored on a company server.

Passkeys, Lee says, could eliminate "an entire class of data breaches" tied to stolen logins.

Calls for more transparency 

Pennsylvania, New Jersey and Delaware all require companies to notify consumers after a cyberattack. But the Identity Theft Resource Center says state laws need to go further — mandating that companies disclose how a breach happened, what information was exposed and what steps are being taken to prevent it from happening again.

Lee said that notices often arrive months late, sometimes long after criminals may have already misused stolen information. He cited the recent data breach involving Conduent, a company that handles payment processing for state governments and major health insurance providers. While the incident was first disclosed last April, some impacted individuals are only now receiving notices in the mail.

CBS News Philadelphia consumer reporter Josh Sidorowicz was among those who received a notification in the mail from Conduent last week.

The company now says the names, Social Security numbers and medical information of more than 25 million people were compromised.

In a statement to CBS News Philadelphia, a Conduent spokesperson said, "From the outset of this incident, we acted promptly and in alignment with incident response protocols to contain and investigate the issue. We engaged leading third party cybersecurity experts, disclosed the incident through an 8-K filing, notified clients and relevant authorities, and worked to support those impacted by the event, including most recently sending notifications on our clients' behalf. To date, there is no evidence that any underlying data has been misused, posted, or made publicly available, and we continue to monitor closely."

Looking for help with a consumer issue? Click here to submit your complaint to In Your Corner.