What to Do After a Data Breach: An Individual’s Playbook

Most advice about data breaches is written for a country you probably don't live in. Freeze your credit. Protect your Social Security number. Call the three credit bureaus. Little of that applies in the Netherlands, Germany, or most of the EU. Almost all of it also skips the two questions that decide what you should actually do.

The first is what kind of data was exposed. A leaked password needs a different response from a leaked passport number. The second is how long ago it happened, because breach data gets used in stages. What you do in the first week differs from what you do two months on.

This playbook covers both. It assumes you have just learned you were in a breach (from a notification email, a news report, or a search you ran yourself) and you want to know what genuinely matters.

The scale is worth a moment. As this is written, ransomware.live, a live tracker anyone can check, counts 4,190 organisations posted to extortion sites so far in 2026, up roughly 14% on the same point in 2025. In Europe, DLA Piper's 2026 survey put notified personal-data breaches at 443 per day, a 22% rise and the first time the daily average has passed 400 since GDPR began. The Netherlands sits at the top of that list, ahead of Germany and Poland. For most people the data is already out there somewhere. What matters now is which breach, and what it held.

First, find out what was actually exposed

Before you change anything, establish what is actually out there. Acting on a guess wastes time you may not have.

Start with Have I Been Pwned. Enter your email addresses and read which breaches they appear in and, critically, what each breach exposed. The site lists the data classes for every incident. That list is the input to everything below.

It has a blind spot worth knowing. Have I Been Pwned indexes breach dumps. It does not see stealer logs: the credentials harvested directly off infected devices by infostealer malware, traded in private channels, never surfacing in a public breach. Stealer-log data is often worse than a breach dump, because it includes live session cookies that let an attacker walk past your password and your two-factor code entirely. We've written separately on why stealer logs are the credential market HIBP doesn't see and how modern infostealers work. Treat a clean Have I Been Pwned result as reassuring but incomplete.

If the breach notification you received names the data fields involved, keep it. "Name, email, and hashed password" and "name, date of birth, home address, phone number, and copy of ID document" send you down two different paths.

The response depends on what class of data leaked

Most checklists give one instruction and apply it to everything. The data class should decide the response. Find the classes from your breach and act on those.

What leaked	The real threat	What to actually do
Credentials (password or hash)	Account takeover, plus reuse against your other accounts	Change the password everywhere you reused it; turn on phishing-resistant two-factor; revoke active sessions. See what account takeover actually is.
Stealer-log data (credentials + cookies from an infected device)	Session theft that bypasses your password and your 2FA	Treat the device as compromised: run a clean scan, sign out of everything, re-authenticate, then rotate passwords. Rotating first, on the infected machine, achieves nothing.
Static identifiers (name, DOB, address, phone, BSN/national ID)	Social engineering, SIM-swap, phishing that knows your real details, none of which you can change	Harden the human layer: a port-out PIN with your mobile provider, scepticism toward any "official" call, and awareness that these facts now enrich every future approach.
Financial (IBAN, card number)	Direct-debit and card fraud	Watch the account; in the EU, use your SEPA refund right (below). Card numbers: ask for a reissue.
Government ID (passport, ID-card images)	Impersonation and synthetic-identity fraud	File a report with your data-protection authority, consider a fraud marker with affected institutions, and monitor for accounts opened in your name.

One point underpins the table: static identifiers cannot be reset. A password takes thirty seconds to change. Your date of birth, home address, and national ID number stay the same for life. Once they leak, assume an attacker holds them permanently. Protect whatever they can be used against: your accounts, your phone number, your identity checks.

A breach unfolds in four waves

Breach data does not get used all at once. It moves through phases, each drawing on the last. The criminals running each phase are often different from the ones who ran the breach. We documented this in detail across the Odido breach in the Netherlands, where the dataset went public on day one, mass phishing began by day two, and targeted fraud was still escalating a month later. The pattern generalises.

Wave 1 — Phishing and fake messages (days to weeks). Automated, at scale, using your real name and details to look legitimate. The standard advice holds: slow down, verify any message independently, never click through from the message itself.

If you're only discovering this now: assume you have already received wave-1 messages and may have acted on one. Check sent mail, payment confirmations, and any account where you entered credentials recently. Your first job now is to find out whether you already fell for one.

Wave 2 — Social engineering (weeks to months). Targeted approaches aimed at you specifically. A caller who has your real data poses as your bank, the police, or the breached company itself. The verified details do the work of earning your trust. Hold one rule: no legitimate institution asks you to confirm secrets, move money, or read out a code over the phone.

If you're only discovering this now: you may already be on a target list, because your data has had weeks to circulate and be enriched. The standard breach check on its own won't cover you. Brief the people who can be social-engineered about you (family, your bank's fraud line, your mobile provider) and agree a verbal passphrase with anyone who might receive a call "from you."

Wave 3 — SIM-swap and account takeover (weeks to months). With your phone number and recovery details exposed, an attacker ports your number, intercepts your SMS codes, and walks into your bank and government logins. In the Netherlands in 2025, one operation ran 160 SIM-swaps in a month, 99 of them in a single weekend.

If you're only discovering this now: the standard check won't reach this. Call your mobile provider and set a port-out PIN today, move every account you can off SMS two-factor onto an authenticator app or hardware key, and check that no unfamiliar recovery email or phone number has been added to your important accounts.

Wave 4 — Identity fraud and the long tail (months to years). Loans and accounts opened in your name; your record enriched with other breaches and resold; in the worst cases, targeted extortion. After the Medibank breach, criminals studied the data for months before approaching high-value victims by name.

If you're only discovering this now: assume the data is permanent and the risk is still live. This is where monitoring earns its place: a deliberate watch on credit-style registrations and new-account activity, which is a narrower thing than the broad "dark web scan" subscriptions sold in a panic. We've written on when dark-web monitoring is actually worth paying for.

If you arrive late, still run the earlier checks (just fast and in parallel), then put your real effort into the wave you're in and the ones still ahead.

"I used a unique password, so it doesn't matter"

This is the most common reaction to a breach notice. It answers the wrong question. If the breach leaked a password you use nowhere else, that one credential is near-worthless to an attacker. But a password is rarely the most valuable thing in a breach. "Was my password reused" tests the wrong thing.

The question that matters: what does this breach complete?

Criminals rarely work from a single dataset. They combine them. A breach that leaks your name, date of birth, and phone number looks harmless on its own. Add your employer and city from LinkedIn, your hometown from a Facebook post, your dog's name from Instagram, and the answers to your bank's security questions. Those fragments become a profile precise enough to pass a phone-based identity check or seed a convincing SIM-swap. The valuable part was never secret. It was the missing piece that turned everything you already share publicly into something usable.

This is the mechanism behind executive-targeting "identity packs," and it works the same way against ordinary people. We've covered how non-credential breach data is assembled into targeting profiles. So judge a breach by what it adds to the overall picture of you. Whether one password was reused is a small part of that.

Your rights in the EU

European law gives you levers the US-centric advice never mentions.

They have to tell you. Under GDPR Article 34, when a breach is likely to result in a high risk to you, the controller must notify you directly and without undue delay, rather than bury it in a press release. Article 33 separately requires them to notify their supervisory authority within 72 hours. A company that sat on a breach affecting you has a reportable failing of its own.

You can demand to know what they hold. Article 15 gives you the right of access, a subject access request, to find out exactly what data an organisation holds on you and where it came from. After a breach, that is how you establish the real scope behind a vague notice.

You can complain, for free. Every EU resident can lodge a complaint with their national data-protection authority (the Autoriteit Persoonsgegevens in the Netherlands, for example). It costs nothing. It is the mechanism that produces enforcement.

For financial data, you have the SEPA refund right. If your IBAN leaks and an unauthorised direct debit appears, the SEPA Core scheme gives you a no-questions-asked refund for eight weeks after the debit, and up to 13 months for a debit you never authorised. It is the closest European equivalent to a US credit freeze. Far more people are entitled to it than use it. We've documented how leaked IBANs feed direct-debit fraud kits.

If you're in the US: the levers differ. Place a free credit freeze with Equifax, Experian, and TransUnion. Report identity theft at IdentityTheft.gov for a recovery plan. The data-class triage and wave model above still apply.

What not to do

A few moves feel productive and aren't.

• Don't mass-reset passwords on a possibly-infected device. If stealer malware is the cause, you hand the attacker your new passwords as you type them. Clean the device and revoke sessions first.
• Don't assume the breach is "over." The notice marks the beginning of the waves. Most of the harm in the cases above came weeks after disclosure.
• Don't dismiss a leak because "nothing important" was taken. Static identifiers and profile fragments are the raw material for everything in waves two through four.
• Don't buy the first "dark web monitoring" subscription you're offered in the panic. Decide what you actually need to watch first; some of it you can monitor yourself for free.

A breach runs as a process with recognisable phases. Work out which data class you're dealing with, work out how far along you are, and deal with the wave in front of you.