On July 29, Capital One publicly disclosed a data breach that impacts 100 million customers in the U.S. and 6 million customers in Canada. The hacker, a former Amazon employee, exploited a security weakness to obtain credit card information and applications from both customers and small businesses from as far back as 2005. According to Capital One's official statement about the data breach, this could include "credit scores, credit limits, balances, payment history, contact information" and parts of "transaction data from a total of 23 days during 2016, 2017, and 2018."
The bank's press release also made two contradictory statements that insisted "no bank account numbers or Social Security numbers were compromised" — except for "about 140,000 Social Security numbers of our credit card customers" and "about 80,000 linked bank account numbers of our secured credit card customers."
Additionally, about 1 million Canadian Social Insurance Numbers are presumably compromised. The New York Times reported that some account numbers were from 'secured' credit cards, which are typically used by consumers who have low credit scores or are financially vulnerable.
The hacker, a software engineer, has already been apprehended by the FBI and charged with computer fraud for attempting to distribute the data through platforms such as GitHub. The culprit was caught after bragging online about the hack. Capital One does not believe that the information was used or spread widely by the hacker, but investigations are ongoing.
"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," said Richard D. Fairbank, Chairman and CEO. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."
The data breach is already being considered one of the largest in history. In comparison, the 2017 Equifax data breach impacted 147 million individuals in the U.S., Canada, and Britain, and cost the company up to $700 million in a settlement with the Federal Trade Commission.
Capital One has promised to "notify affected individuals through a variety of channels" and offer free credit monitoring and identity protection. But if you're unsure if your data was breached, there are a few things you can do.
Stay vigilant against scams and unusual activity
Data breaches like this one can put people in danger of having their accounts stolen or receiving fraudulent emails and calls. Capital One is cautioning customers against any scams that could arise from this incident and encouraging people to use account alerts to track any suspicious activity on their accounts. If you see something unusual, call the phone number on the back of your Capital One card or bank statement as soon as possible.
"We do not call customers asking for personal information," the company said as a reminder. "[C]ustomers should be mindful of the possibility of phishing emails and calls due to this incident."
If you suspect an email is phishing for your data, Capital One recommends that you:
- Do not reply to the email.
- Do not click on any of the links embedded in the email.
- Forward the email to firstname.lastname@example.org.
- After forwarding the email to Capital One for investigation, delete it.
- Be sure to monitor your credit card account and call if you notice any unusual activity.
Capital One also reminded customers that it does not contact customers for "credit card or account information, or Social Security numbers over the phone or via email." If you clicked on any links in a fake email or answered any calls that claimed to be Capital One, the bank says you should:
- Call Capital One immediately to report that your account information may have been compromised.
- Sign in to your account online and change your password and security questions.
- Check your accounts for suspicious activity.
- Update and run anti-virus software on your computer.
What else to do after a data breach
For some people, the first notice of the hacking incident was through a very brief Twitter post on Capital One's official account. Many customers on Twitter commented with dismay, wondering when they would be notified if they were compromised. However, there has yet to be a clear and definite response.
If you aren't keen on waiting for a response from Capital One, here are some steps you can take to protect yourself.
- Contact one of the three credit reporting agencies — Equifax (yes, the company that also suffered a data breach), Experian, or TransUnion — to set up a fraud alert. This will make it difficult for anyone to open an account in your name. It lasts for a year.
- Check your credit report for any unusual activity such as newly opened credit card accounts. Every 12 months, you can request a free report from each of the credit agencies for a total of 3 reports a year.
- Consider freezing your credit. This is slightly more inconvenient than setting up a fraud alert, since you'll need to temporarily lift the freeze for anyone who needs to check your credit — such as a landlord or potential employer. A total freeze will last until you tell the credit bureau to lift it and will prevent any thieves from making charges to your existing accounts.
- Seek the free credit monitoring when Capital One offers it. If you were affected by the Equifax data breach, you might be able to opt for four years of free credit monitoring instead of the payout.
If you're not a Capital One customer but would like to stay safe against data breaches, then consider enabling two-factor authentication for an extra layer of security beyond your password. Stay suspicious over phishing attempts and unusual account activity. Lastly, change your password into something strong and don't reuse passwords for multiple accounts. Consider using a service like LastPass to create and maintain strong passwords or create one using their password guide.