Capital One reported in July a hacker had swiped the personal data of about 100 million Americans and 6 million Canadians who either are Capital One credit card applicants or cardholders. Here’s what you need to know and do if you think you were affected by the Capital One data breach.
Capital One told the world July 29, 2019, that a hacker had swiped the personal data of about 100 million Americans and 6 million Canadians who either are Capital One credit card applicants or cardholders.
The credit card issuer says it learned of the hack July 19. Federal authorities allege Seattle tech worker Paige A. Thompson stole the Capital One information over a two-day period in March 2019 by invading the company’s data-storage system. The FBI arrested Thompson July 29; she faces a number of federal charges connected to the cyber break-in.
In August 2020, the federal government fined Capital One $80 million and ordered it to develop and submit plans to safeguard against cybersecurity and cloud operation risks.
The Wall Street Journal calls the Capital One breach “one of the largest-ever bank-data heists.”
Capital One data breach: What you should know
How do I know if my data was stolen?
Capital One says it’ll notify by regular mail any Americans whose Social Security numbers or bank account numbers were part of the breach. And the company says it’ll “directly notify” all Canadian customers whose personal data was compromised.
Capital One says it’s not calling, texting or emailing consumers to ask for account information or Social Security numbers related to the data breach. If you do receive a call, text or email like this, it’s a scam. Don’t click on any text or email links you receive through this kind of message and notify Capital One immediately.
Whose data was affected?
The bulk of the hacked data was information that consumers and small businesses provided when they applied for a Capital One credit card from 2005 through early 2019. This included names, addresses, ZIP codes, phone numbers, email addresses, birth dates and self-reported annual income.
In addition, according to Capital One, the hacked data included:
- Credit scores, credit limits, balances and payment history.
- About 140,000 Social Security numbers belonging to U.S. cardholders.
- About 80,000 bank account numbers linked to the Capital One accounts of customers who have secured credit cards.
- About 1 million Social Insurance numbers belonging to Canadian cardholders.
No credit card account numbers or login credentials were compromised, according to Capital One.
People who suspect they were victims of the Capital One data breach are urged to regularly look for updates at capitalone.com/facts2019 for residents of the U.S., and capitalone.ca/facts2019 or capitalone.ca/facts2019/fr for residents of Canada. For further information, call Capital One at 800-227-4825.
What happened to the stolen data?
How did this happen?
In the most basic terms, the breach stemmed from a cloud-computing security flaw. Capital One says it has fixed the issue.
See related: FTC advises taking free credit monitoring over cash in Equifax settlement
How long will it take to figure out the damage caused by this breach?
It could take years for consumers to know the full effect of how the breach harmed them, according to BAI, a nonprofit research organization for the financial services industry.
What should I do right now to protect myself following the Capital One data breach?
Here are several steps you can take to keep your personal data safe:
- Take advantage of the free credit monitoring and identity protection services that Capital One says it’ll offer to every victim of the data breach.
- Enroll in Capital One account alerts to monitor credit card activity, especially any transactions that seem suspicious. This advice actually pertains to any credit card account, not just a Capital One account.
- Freeze your credit by contacting the three major credit bureaus — Equifax, Experian and TransUnion. Credit freezes are free. This action essentially locks your credit report and prevents an unauthorized person from opening an account in your name. If you decide to apply for a credit card, you’ll need to unfreeze your credit so that the card issuer can check your credit report.
- Place a fraud alert on your credit file. To do so, you need to contact just one of the three major credit bureaus (Equifax, Experian and TransUnion). A fraud alert tells credit card issuers and other creditors that you might be a fraud victim. This might stop a crook from opening an account in your name. One-year and seven-year fraud alerts are available.
- Monitor your credit reports. Each year, you’re entitled under federal law to obtain one free copy of your credit report from Equifax, Experian and TransUnion. Visit AnnualCreditReport.com or call 877-322-8228 to get started.
- Frequently change your passwords. Ted Rossman, industry analyst at CreditCards.com, suggests using a password aggregator like LastPass to ensure passwords for all of your financial accounts are strong and unique. Also, aim for passwords that are at least 12 characters in length, and avoid common, easy-to-determine passwords like “123456,” “abc123” and “password.”
- Check your credit card statements regularly to hunt for irregularities. If you find something that appears unusual, contact the credit card issuer.
- Set up two-factor authentication for online accounts. This adds a layer of security by making it harder for cybercriminals to access your electronic devices.
- Update and run anti-virus software on your computer. This software identifies malware (or malicious software) and prevents it from infecting your computer. Hackers often employ malware to commit cybercrime.
- Be careful about sharing personal data, such as your Social Security number. “The less data you give out, the less there is to be stolen,” the nonprofit Consumers Reports advocacy organization says. “Consumers aren’t obliged to comply with every request for personal data.”