The risk of identity theft is a concept that most of us are probably familiar with given the rise of cybercrime and data breaches. Yet a new report by Identity Theft Resource Center and DIG. Works has revealed that most employees do little to protect themselves when they learn their personal information has been exposed in an employer’s data breach.

And it isn’t necessarily a direct attack on your employer that leaves your personal information vulnerable to cybercriminals. For example, a recent ransomware attack on one of the largest human resources companies, Kronos, may impact how many employees get paid and track their paid time off. Personal information, like banking account numbers, also can be exposed. What’s more, most people can’t control how their employer uses their information, so using an active identity theft protection and credit monitoring service is just one necessary tool for protection against identity theft.

Even more concerning is that you may not even know what to do once learning your information has been exposed. In the new report, a shockingly high number of respondents (16%) took no action after receiving a data breach notice; less than half (48%) changed the password only on the breached account; and only 22% changed all of it their passwords. This is an alarming statistic given that out of the 1,050 U.S. adult consumers surveyed most had been the victim of a data breach, and more than half of social media users have had their accounts compromised.

Here’s some insight on why victims of data breaches might fail to react.

According to the survey, 26% believe that since the data is already out there, there is nothing that can be done; 29% believed organizations responsible for protecting their data would address the issue; 17% did not know what to do; and 14% thought the notice was a scam.

Data Breaches Can Expose Employee and Consumer Information 

Data breaches have hit companies ranging from Facebook and Yahoo to Costco, UnitedHealth, T-Mobile, and many more. Customers’ credit card information, passwords, email addresses, phone numbers, and Social Security numbers are among the information exposed.

The stolen information can be used by thieves or sold on the dark web, resulting in victims experiencing identity theft and possible financial losses.

If you are the victim of a data breach, it pays to act quickly. Here’s why: failing to take action can leave you vulnerable to additional attacks and a continuing risk of identity crimes.

Steps to Take if You Think You’re a Data Breach Victim

Here are three steps you should take if you think you might be the victim of a data breach:

1. Log into the breached account and change your password.

Change your password as soon as possible. Also, change your username, if possible. If you can’t log in, contact the company directly and ask how to get into the account or shut it down completely.

Weak passwords are the easiest ways for hackers to access your accounts. If you’ve ever been tempted to use “password1” or “qwerty” as your password, you may as well be handing out your data in the street. According to the survey, only 15% of the respondents claimed to use unique passwords for each account. The remaining 85% admitted to reusing passwords on multiple accounts, although some claimed a still risky practice of using variations of the same password on different accounts.

2. Consider issuing a credit freeze and fraud alert with all three credit bureaus.

A credit freeze and fraud alert are both excellent ways to help protect your personal information and credit from being used by identity thieves to open new accounts. A credit freeze provides the best protection because it won’t expire, unlike a fraud alert. A fraud alert usually expires after one year.

A fraud alert tells potential lenders to contact you, usually by phone, and verify your identity before extending new credit. If someone tries to get a new credit card or borrow money in your name, you are contacted, and you can take action to stop the new account.

Credit freezes prevent lenders from accessing your credit report without authorization. A credit freeze generally stops access to your credit report, so most lenders can’t see your information until you unfreeze it.

When you set up a credit freeze, also known as a security freeze, you are assigned or asked to create a PIN code or password you can use when unfreezing your credit file. If you, or someone else, applies for a new line of credit in your name, the lender won’t be able to view your credit report, which puts a stop to the application. A freeze is free and available to anyone, whether or not you are a victim of identity theft.

To freeze all of your credit reports from the three major bureaus, you need to contact each of the three major credit bureaus separately. You must provide personal information, including your Social Security number, photo ID, and proof of residence. You also need to answer questions that verify your identity.

A freeze remains in place until you ask the credit bureau to temporarily lift it or remove it altogether. If the request is made online or by phone, a credit bureau must lift a freeze within one hour. If the request is made by mail, the bureau must lift the freeze no later than three business days after getting your request.

3. Use Identity Theft Protection and Credit Monitoring.

If you are concerned about your data privacy, then having a team of experienced cybersecurity experts on your side is the best way to stay safe. Active identity theft protection and credit monitoring are essential for helping protect your identity information.

Identity theft protection can include alerts for suspicious activity, credit report monitoring, and identity theft insurance if you become a victim.