You look at your credit card statement and find a customer service number. You call that number, tell them about the email, and ask if it's legit. You don't do this on the web or any link in the email as phony emails link to phony sites. If the credit card company verifies that the email is legit, you make your own decision. If the email was not legit your CC company is likely to thank you for bringing it to their attention.
You could also just ignore the email. If the breach was legit, most credit card companies I know of will follow up with something in writing. Email just gets the message out more quickly. You can wait to see if you get a letter.
Check the terms of service for your CC. Some offer automatic monitoring for fraud and some sort of protection from identity theft.
Fraudsters thrive on creating panic. Don't panic.
I received an email about data security incident from a website I purchased before. This is a part of the email (XXXX is my last 4-digit card number).
We are writing to inform you of a data security incident that may have exposed some of your personal information. We greatly value your business and take the protection and proper use of your information very seriously. For this reason, we are contacting you directly to explain the circumstances of the incident.
We recently discovered that we have been the victim of a data security incident that began in April 2015, during which personal, private and unencrypted credit/debit card information may have been exposed to an outside party and compromised.
We are reporting the incident to the appropriate state agencies and federal authorities for investigation. Our notification has not been delayed as a result of any law enforcement investigation.
What information was involved?
The potentially compromised information may have included your name, shipping address, billing address, credit card security code and/or credit/debit card number ending in XXXX. Compromised information could reasonably be used to attempt fraudulent credit/debit card purchases. Please note that we do not obtain Social Security numbers from our customers, so the potentially compromised information does NOT include your Social Security number.
What we are doing.
We take the protection of personal information very seriously and sincerely apologize for any inconvenience experienced as a result of this incident. We want you to know that we have determined the cause of the incident and are taking immediate actions to prevent future incidents of this nature.
Upon learning of the incident, we immediately retained two top-rated, certified independent investigation teams to separately analyze the intrusion and to assist us in preventing future threats. We continue to use the results of their investigations to implement any needed changes, and will continue to conduct regular assessments of our system to ensure its security.
To help relieve concerns and restore confidence following this incident, we have also secured the services of Kroll to provide identity monitoring at no cost to you for one year. Kroll is a global leader in risk mitigation and response, and has extensive experience helping people who have sustained an unintentional exposure of confidential data. Your identity monitoring services include Credit Monitoring, Identity Consultation, and Identity Restoration.
Then they provided the information for me to enroll in Kroll. However, Kroll requires me to put my SSN in. What should I do? Should I use Kroll, proving my SSN? Is Kroll trustworthy?
I checked my bank statement, and there was no fraud transaction. The card that I used on the website will be expired the end of next month.
Thank you very much.