A photo of credit and debit cards

The number of credit and debit card breaches has been rising, according to the Identity Theft Resources Center, a San Diego-based nonprofit established to support victims of identity theft. The organization recently released a report that shows that 20 percent of all breaches in 2017 included credit and debit card information, a rise of nearly 6 percent from a year earlier.

More on Fraud & Data Breaches

The most recent breach happened at Saks Fifth Avenue, Saks Fifth Avenue Off 5th, and Lord & Taylor stores, according to Gemini Advisory, a New York-based cybersecurity firm. The company that owns those stores, Toronto-based Hudson's Bay, confirmed that cybercriminals had stolen more than 5 million credit and debit card numbers.

Hackers installed software into the stores' cash register systems that was able to steal the payment card numbers. While the investigation continues, it doesn't appear Social Security numbers or driver’s license numbers were compromised.

It appears thieves had been stealing the payment card data since May 2017, but the news was only revealed after Gemini reported that the stores had been hacked by a well-known criminal group known as JokerStash.

While the hack was one of the biggest among retailers in recent years, there have been larger ones. In 2013, data from some 40 million payment cards was stolen from Target and a year later, thieves stole 56 million payment cards from Home Depot.

Last month, Orbitz, the travel website, said that data from 880,000 payment cards had been stolen from a platform it operated.

Eva Velazquez, the president and CEO of Identity Theft Resource Center, says that retailers and institutions need to do a better job of protecting customer data. In the meantime, she says consumers should take steps to protect themselves when things go wrong.

Steps to Take

Here’s what you can do to safeguard your data.

Watch your accounts closely. Look for charges you don’t recognize. If you spot something strange, call your credit, debit, or prepaid card company or bank right away, says Christina Tetreault, senior staff attorney at Consumers Union, the advocacy division of Consumer Reports.

Consider getting new payment cards. If there was a breach with your debit, prepaid, or credit card, you may want to get a new card with a new account number, Tetreault says. This will keep your account from being used without your permission. If you get a new card, make sure to change any automatic payments to your new card so that you aren’t charged for missed or late payments. 

Take advantage of free consumer protection services. Velazquez says that the Federal Trade Commission and the Identity Theft Resource Center offer letter templates, forms, and advice to help you protect your identity if your data has been stolen. In addition, Velazquez says to check with your employer—many offer services that can help you—and check your homeowners or renter insurance, which may have a rider that offers some kind of identity protection service.

Sign up for free credit monitoring. Hudson Bay says that it will offer affected customers free identity protection services, including credit monitoring. The service provides an ongoing review of your credit history. Doing this won’t let you know if someone is using your existing accounts without your permission, but it will let you know if someone opened a new account in your name.

If you believe you’ve had other information stolen in the past, such as your Social Security number, you can also: 

Place a fraud alert on your credit report.
 This warns prospective lenders that you have been a victim and that they should take reasonable extra steps to verify your identity before granting credit to the person claiming to be you.

To request a fraud alert, you have to contact only one of the big three credit bureaus—EquifaxExperian, or TransUnion. The bureau you contact will pass it on to the other two. (You must place a separate alert with Innovis, a smaller credit bureau.)

An initial fraud alert lasts 90 days. If you’re an ID-theft victim, you can get an extended fraud alert that stays in place for seven years. But you may be better off with the 90-day alert because that allows you to get a free credit report from each of the four credit bureaus each time you renew the alert.

Place a security freeze. A security freeze placed on your credit file will block most lenders from seeing your credit history. That makes a freeze the single most effective way to protect against fraud.

If a prospective lender can’t pull your credit report, he won’t issue a new loan. That usually stops identity thieves from setting up fraudulent accounts in your name.

There’s a drawback, though. The freeze also shuts out most companies you may want to do business with, including lenders, telecom companies, and insurers.

To give them access when you want to apply for a loan or open a cellular service account, you have to temporarily lift the freeze and set a date for it to be reinstated automatically.

Note that not everyone is blocked from getting your credit report. Banks and credit unions where you already have accounts can still check your credit report, as can collection agencies and certain government agencies. 

A freeze might be free, depending on your state and circumstances—for example, if you’re an identity-theft victim and have filed a police report about the incident. Otherwise, expect to pay $2 to $12 to initiate or temporarily lift a freeze at each credit bureau: EquifaxExperianTransUnion, and Innovis. Review your state’s law for specific details.