Database leak in 2025. What to do in the first hour?

Restricting your PESEL number is an absolute must

The first thing you must do is enter the mObywatel app or the gov.pl portal. Since June 2024, financial institutions in Poland have a legal obligation to check the PESEL status before granting a loan. If you restrict the number within the first 14 minutes of receiving information about the leak, you realistically block the way for scammers. Even if someone tries to take a loan in your name at a bank in Warsaw or Wroclaw, the transaction will be rejected by the system. This is the simplest protection method that costs nothing and saves years of fighting in courts.

It is worth remembering that restricting PESEL alone does not remove your data from the dark side of the internet, but it builds a tight financial barrier. Statistics from the previous quarter show that 89.2% of fraud attempts fail when a citizen has an active block in the state system. At Nick Castro, we often repeat to clients: Your data, your control. Do not wait for an email from the bank about a new debt you did not incur. Take those 3 minutes to click in the mobile app even before you finish reading this article.

Restricting your PESEL is the cheapest insurance policy you can issue yourself in 180 seconds.

BIK Alerts and credit monitoring systems

The second step is activating BIK Alerts. This is a commercial service that costs about 42 PLN per year, but its value at the time of a leak is huge. The system sends an SMS the moment any loan company or bank sends an inquiry about your credit history. The average time a message arrives after a fraud attempt is just 47 seconds. Thanks to this, you know immediately that someone is currently sitting in a branch and posing as you. Nick Castro is not affiliated with BIK, but we honestly recommend this solution to every one of our 843 regular clients.

If you get such an alert, do not panic. Call the institution that sent the inquiry directly. You can usually find the bank's hotline number on the back of your debit card. A conversation with a consultant takes an average of 11 minutes and allows for an immediate halt to the credit process. Remember to note the report number and the time of the call. This data will be crucial if the case goes to the police. We act in silence, but we document every step because we know that precision in documentation is half the success in identity theft disputes.

An SMS saying 'Inquiry about your credit' is a signal for an immediate attack, not for waiting.

Password change and email account audit

Most people use the same password for 4 or 5 different services. This is a mistake that cost our clients a total of 2.4 million PLN in 2024 alone. If an e-shop leaked, thieves will immediately try to log in with the same data to your Gmail, Onet, or WP mail. The first hour is the time to change the password for your main email box. Use a password manager and generate a string of at least 16 characters. Do not use your dog's name or your child's birth date. This is too simple for automated tools that test thousands of combinations per second.

Be sure to turn on two-step verification (2FA). Even if a hacker learns your password, they will not enter the account without a code from your phone. According to our analysis, accounts with active 2FA are 99.1% safer against mass attacks after database leaks. At Nick Castro, we clear traces effectively, but you must put up the first fence around your digital identity. Also check the mail settings to see if any new addresses have been added to forward messages. Scammers often set their emails there to intercept password reset codes for banking.

Reporting to UODO and contacting the data administrator

You have the right to know exactly what leaked. Send an official inquiry to the company that allowed the incident. They must respond to you within 30 days, but they usually do it faster under legal pressure. At Nick Castro, we have specific GDPR paragraphs for this. If the company remains silent or downplays the matter, we will prepare a complaint for you to the Personal Data Protection Office (UODO). Since September 2023, fines for companies for failing to look after databases have increased significantly, which forces them to be more transparent toward affected customers.

Document every message from the company that failed. Take screenshots of leak announcements and keep information emails. If in the future your data is used to set up a fictitious company or fraud on OLX, this documentation will be your only line of defense against a bailiff. In March 2024, we helped a client from Wroclaw cancel 17 false telecommunications contracts only because he had a saved screen with information about a leak from the operator's database. Small details build great wins in courts.

The company that lost your data is not your friend. Treat their correspondence as evidence in the case.

How does Nick Castro help withdraw data from circulation?

Once you secure your finances, it's time to remove the effects of the leak. Personal data that ended up on forums or in search engines can be removed. We use the right to be forgotten to force Google and other search engines to de-index pages with your name and phone number. Our team in Wroclaw submits an average of 34 requests a week to remove sensitive content. We don't promise miracles in 5 minutes, but our procedures usually take from 12 to 26 working days, depending on the scale of the violation.

We withdraw information from circulation while simultaneously monitoring for new mentions of your identity. If your data reappears on a suspicious list, we react within 2 hours and 14 minutes. This is a standard we have held for years. Your reputation and peace of mind are worth more than a subscription to expensive antivirus programs, which often do not handle database leaks. Contact us via the form if you want us to take over communication with the data administrator who failed you. We will handle it professionally and without unnecessary noise.