Skip to main content
Iowa Attorney General
Main Content

Data Breach Victim? It’s Personal (Info)!

There’s a pretty good chance that at some point you learned through a news story, letter, or email that your personal information may have been exposed through a data breach. Does it mean that someone stole what was supposed to be secure information about you? It depends on the circumstances of the breach--the data may have been stolen and used or sold by criminal hackers, maybe it was exposed and it’s not clear whether anyone else has it, or perhaps a laptop or flash drive containing the data was lost or stolen.

A data breach, also called a security breach, is any unauthorized acquisition of personal information. Personal information includes your Social Security number, driver’s license or unique government identification number, financial account number, credit or debit card number (including the card’s expiration date or other password or security code that would enable someone to access your financial account), and unique biometric data.

Under Iowa law, anyone who encounters a data breach that affects at least 500 Iowa residents must provide written notice to the Attorney General’s Consumer Protection Division Director within five business days after notifying affected people. The Consumer Protection Division posts these notifications at, under “For Consumers.”

If you’ve been notified of a data breach, the notice you receive should explain the general circumstances, exactly what personal information was exposed, and when it occurred. If you’ve been notified about a data breach:

  • Make sure the notification is legitimate. Be careful about look-alike notices, called phishing scams, which attempt to trick you into providing or “confirming” personal information, or try to get you to click on a link that will infect your computer with a virus. Best advice: if a company notifies you of a breach, don’t click on an email link or provide information through a reply email. Instead, go to that company’s known website. That will help you confirm the notice is legitimate. Assuming it is legitimate, you’ll get the information you need to know from the source of the breach notification.
  • Understand what has been exposed or stolen. If it was a password, you should change your password for that account and any others for which you use the same password (consider changing your user name as well). If it’s a credit card or debit card number, report it to the issuer so you can get a new account number and card. If it’s your Social Security number, notify one of the three major credit bureaus to place a free fraud alert on your credit file. Consider a credit freeze/security freeze, which restricts access to your credit report and makes it more difficult for criminals to open accounts in your name.
  • Notifications often include free credit monitoring offers for a certain period of time. A commercial credit monitoring service keeps tabs on your credit reports and alerts you to changes on your accounts, including anything suspicious. Keep in mind that once the free monitoring offer runs out, you will have to pay to continue the credit monitoring service.
  • You are entitled to a free credit report once every 12 months from each of the three major credit reporting companies (Equifax, Experian, and TransUnion).

If your identity has been stolen, you’ll find a road map to recovery at, and you’ll also find information at Click on “Consumer Tips & Information.”

Quick Exit
© 2022 State of Iowa Office of the Attorney General. All rights reserved.