64% of Americans Don’t Know What to Do After a Data Breach — Do You? (Survey)

We surveyed Americans to gauge their data breach literacy including awareness and how to respond — see how you data breach literacy stacks up.
Rob Sobers
5 min read
Last updated October 14, 2022

America’s literacy rate is 86% (which is not the best), but the data breach literacy is even worse. The majority of Americans don’t know what to do if they are affected by a breach. Even worse, most have never checked to see if their data was compromised during one of the many major data breaches in recent years.

This can lead to huge financial consequences. If stolen data is used to compromise your identity, your credit score and finances can suffer damage that makes it difficult to get loans, purchase a home or reach other financial milestones and needs.

Get the Free Essential Guide to US Data Protection Compliance and Regulations

We ran a survey to gauge America’s literacy rate by asking questions about awareness and response knowledge. Below we’ll explore the survey findings. We also have some tips for becoming well-versed in data breach protocol, steps to take to keep your identity and information safe, and steps that companies can take too.

Ignorance Is Bliss? 64% Have Never Checked to See If They Were Affected by a Breach

The average American spends three hrs on their phone daily but only 64% have taken three minutes to check if they were affected by a breach (visualization in a piechart)

After surveying 1,000 American adults, we found that 64% have never checked to see if they were affected by any of the major data breaches. This is alarming news when coupled with the fact that billions of people are affected by cyberattacks and breaches each year.

Billions of accounts were compromised in breaches in 2018 and 143 million Americans were affected by the Equifax breach in 2017 alone. Not every consumer is always affected, but it’s good practice to keep tabs on our personal data and to regularly check if our information is at risk. So, how should you go about doing that?

Most people have little understanding of the severity of breaches, how to check their status, or what steps to take if their data was affected. Collectively, Americans spend around three hours on their phones each day, 1.25 hours of that on social media. If more people knew that it only took a couple of minutes of that time to check their status, the breach literacy rates could greatly increase.

56% Don’t Know What Steps to Take if They Were Affected

Our surveys showed that in the event of a data breach

Our surveys showed that in the event of a data breach, 56% of Americans wouldn’t know the steps to take in response. That means only 44% of Americans know how to respond in the event of a data breach. If you’re part of this 56%, don’t worry. We explain what to do below.

  1. Verify

The first step is to verify your exposure. Please do not enter personal information (SSN, DOB, email or phone number) on just any site claiming to be a breach check site.

Troy Hunt’s website – Have I Been Pwnd – is a safe and effective way to check if your personal data has ever been stolen or if your data is involved in a recent breach. All you have to do is enter your email address and the site will tell you when and how your data has been stolen, and give you details on what to do about it.

Check out our free security training videos and our web security fundamentals course taught by Troy Hunt, himself.

Once you have verified you are part of a data breach, you can research the resources provided by the breached company to see what protections and compensation they provide.

Be careful – hackers will take advantage of the panic caused by a data breach to target those who are worried and not paying attention — usually to bait them into clicking a malicious link. Be wary of emails that ask you to click on any links. Hackers can pose as an employee or company by using fake email addresses, logos and more to trick you into clicking ransomware or malware.

  1. Protect

Once you’ve verified that your information was affected, follow safety and security instructions provided by the company’s security team. This usually includes changing your password immediately on the breached site and any other sites where you’ve used the same password (or a similar one).

If any financial (credit or debit card numbers) or sensitive information was stolen, notify your bank or credit union immediately. After that, you should freeze your cards and credit reports. Or if you know with certainty that those card numbers were exposed, you should immediately cancel the affected cards.

  1. Monitor

Keep close tabs on your credit and financial activity to ensure you can catch any unusual activity. Credit report institutions will allow you to freeze your credit report. Many institutions can also apply extra security measures that require you to be contacted by phone for confirmation before new accounts are opened in your name. This added layer of security would help thwart someone who stole your identity from ruining your credit. Financial institutions also have additional security layers that they can add to your account. Give them a call to see what they can offer.

data breach literacy illustration of consumer defense tips

Lack of awareness is likely the reason more people don’t understand breaches. After all, breached companies provide plenty of information about the incidents on their websites. If you ever have trouble finding the information or the business in question hasn’t put up an official page, reach out to their privacy team. Please note that you should never write sensitive information in an email or form not designated by the site as an official way to check your data breach status.

Below are some recent data breaches and information about how to see if you’re entitled to compensation. If you suffered serious damage from a breach, seek legal counsel as it may be better for you to withdraw from the class-action suit and pursue action on your own.

Equifax Breach

If affected by the Equifax breach (July 2017) you are owed anywhere from five years of free credit reporting or $125 to $20,000 in cash, dependent on damages sustained from the data breach. According to the FTC, consumers have until January 22, 2020 to claim their settlement. Check the official Equifax settlement site to see if you were affected and entitled to compensation.

Yahoo Breach

The Yahoo data breach settlement for the 2013–2016 breach has been reached. Their official Yahoo settlement site states that you could be entitled to $100–$358 or credit monitoring services should you prefer that. If you had any sort of Yahoo account from January 1, 2012 to December 31, 2016 and “are a resident of the United States or Israel, you are a ‘settlement class member.’” To receive your settlement, you must file on their official site before their July 20, 2020 deadline.

Capital One and Marriott Breaches

These breaches are in the early stages of settlement. If you were affected, consider seeking legal counsel or keeping tabs on the class-action suits being brought against Marriott and Capital One.

An Organization’s Responsibility

data breach literacy illustration of tips to lessen the damage of a breach

While the thought of dealing with a data breach is terrifying to business owners, acting quickly and with care for the consumers can minimize the damage to your business’s reputation. A simple phishing attack can give a malicious attacker an in to access sensitive files. As an organization that stores personal data, it’s imperative to be able to detect threats inside your perimeter.

Prevention is the first step. But since prevention isn’t always enough, having and executing a response plan is imperative. There are a variety of new privacy laws that set parameters for responding to data breaches, like CCPA and GDPR. It’s important to seek legal counsel to ensure that your business protocols, policies and response plan is compliant. Below are some tips to set you on the right path, see these cybersecurity tips for additional insights.

  • It’s crucial that organizations know which sensitive data they have, where it’s located and who has access to it
  • Eliminate stale or unnecessary data, especially files containing sensitive information
  • Only grant employee access to information that’s necessary for their job position, also known as Role-Based Access Control (RBAC)
  • Set expiring passwords and accounts
  • Revoke employee privileges if they leave the company
  • Ensure software is kept up-to-date
  • Monitor for internal and external threats
  • Stay up to date on the latest scams, tactics and malware
  • Communicate with your team and report any breaches or compliance infractions promptly to the proper agency
  • If a breach or leak does occur, recover and secure any compromised data

The unfortunate reality is that data breaches are going to be a problem for the foreseeable future. If organizations and consumers act quickly in the moments following a breach, it can have a great impact on reducing the damages sustained from the attack.

Of course, this responsibility falls on the shoulders of the company controlling and storing the data. But consumers should proactively protect themselves as well — as we’ve seen organizations don’t always act responsibly. It’s important to stay educated and up to date on the latest malware, scams and tactics to keep your data secure and safe.

Try our free data risk assessment to see where vulnerabilities lie in your organization — check out the video below to see how the process works.



This study was conducted using Google Surveys. The sample consisted of no less than 1,000 completed responses per question. Post-stratification weighting has been applied to ensure an accurate and reliable representation of the total population. The survey ran during October 2019.

What should I do now?

Below are three ways you can continue your journey to reduce data risk at your company:


Schedule a demo with us to see Varonis in action. We'll personalize the session to your org's data security needs and answer any questions.


See a sample of our Data Risk Assessment and learn the risks that could be lingering in your environment. Varonis' DRA is completely free and offers a clear path to automated remediation.


Follow us on LinkedIn, YouTube, and X (Twitter) for bite-sized insights on all things data security, including DSPM, threat detection, AI security, and more.

Try Varonis free.

Get a detailed data risk report based on your company’s data.
Deploys in minutes.

Keep reading

Varonis tackles hundreds of use cases, making it the ultimate platform to stop data breaches and ensure compliance.

Dropbox Sign Data Breach: What You Need to Know
Dropbox Sign's recent data breach highlights how non-human identities are driving more profound breaches.
Analyzing Company Reputation After a Data Breach
Does a data breach affect how your customers see you? Take a look at what Americans think as we dive into the relationship between breaches and reputation.
Data Breach Definition by State
State governments are becoming more aware of PII and PHI data breaches, how about your state? See how PII is protected per state with our primer on US State Data Breach Law Definitions.
GDPR Data Breach Guidelines
Index Personal Data Breach vs. Reportable Breach Notifying the Regulators Breach Notification and Ransomware Individual Reporting Breach Notification in Phases Notification Details This Is Not Legal Advice The General Data...