A Capital One Breach Has Affected Over 100 Million People — Here’s How to Tell If You Were Hit and What to Do

If Capital One is what’s in your wallet, there are some things you should add to your to-do list.

The bank disclosed on Monday that it was the victim of a data breach affecting over 100 million people in the U.S. and six million people in Canada. Most of the impacted parties were consumers or small businesses who had applied for a Capital One credit card in the 14 years leading up to March 2019, according to a press release. The compromised information is outlined as follows:

• Personally identifiable information like “names, addresses, zip codes, phone numbers, email addresses, dates of birth, and self-reported income,” at the time of the applications
• Customer status data, which includes credit scores, credit limits, balances, payment history, contact information
• Fragments of transaction data from a cumulative 23 days spanning from 2016 to 2018

What’s more, the hacker also obtained about 140,000 Social Security numbers, 80,000 linked bank account numbers, and one million “social insurance” numbers (the Canadian version of a Social Security number). It’s being called one of the largest-ever thefts of bank data.

Where does that leave you, Capital One customer?

Unfortunately, Americans are no strangers to a data breach. But whether this is your inaugural go-around or you already know the drill, this is still a first for Capital One. So pay attention to these steps to ensure you're doing everything you can, according to their plan:

First, find out if you’re one of the parties affected by checking your email and messages on your Capital One account page. The bank said in its press release that it plans on notifying any affected individuals “through a variety of channels.”

Monitor your account activity by taking Capital One up on its offer for free credit monitoring and identity protection — this information should be provided in the alert message, but feel free to reach out to Capital One if it’s not. Such services will tell you if there’s any suspicious activity on your credit report or involving your identity (bank accounts, and any place your Social Security number is used).

Keep an eye on your payments even if you’ve signed up for the above services, by logging into your credit card accounts and making sure you don’t see any strange payments that you didn’t make yourself. If you see one, call the number on the back of your card immediately to tell the bank about it.

While you’re in your account go ahead and turn on text alerts so that you don’t miss any further communication (especially in the immediate future). It would be wise to change your password and security questions for good measure.

Do not reply to, much less share information, with any party calling or emailing you claiming to be Capital One. The company has made it very clear that they won’t be asking customers for credit card numbers, account information, or Social Security numbers via phone or email.

If you’re still unsure about the validity of the email or call, ignore it — or inform the party that you’d prefer to hang up — and then call Capital One yourself. Forward any such emails to abuse@capitalone.com and delete them.

How Capital One is doing damage control

Capital One says it notified authorities right after it found out about the vulnerability on July 19, upon being informed via email that the stolen data was published online, according to the official FBI complaint. A suspect — ex-Amazon employee Paige A. Thompson, a hacker known by the alias “erratic” — has since been put into custody, and so far, the company’s analysis shows that the information probably wasn’t used for fraud or shared around.

But don't take that as a reason to kick your feet up: Even as Capital One does and says whatever it can to make amends with customers, remember that no one can prioritize your security like you can. So heed these steps and make sure you’re staying on top of it.