Updated 8:00 PM ET, Fri Aug 9, 2019
On July 19, 2019, we determined that an outside individual gained unauthorized access and obtained certain types of personal information about Capital One credit card customers and individuals who had applied for our credit card products.
Capital One immediately fixed the issue and promptly began working with federal law enforcement. The person responsible was arrested. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.
Like many companies, we have a responsible disclosure program which provides an avenue for ethical security researchers to report vulnerabilities directly to us. The configuration vulnerability was reported to us by an external security researcher through our Responsible Disclosure Program on July 17, 2019. We then began our own internal investigation, leading to the July 19, 2019, discovery of the incident.
On July 19, 2019, we determined that an outside individual gained unauthorized access and obtained certain types of personal information about Capital One credit card customers and individuals who had applied for our credit card products. This occurred on March 22 and 23, 2019.
Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.
We are directly notifying by mail the U.S. individuals whose Social Security numbers or linked bank account numbers were accessed.
We are directly notifying all Canadian customers affected. Canadian customers can find more information at www.capitalone.ca/facts2019 or www.capitalone.ca/facts2019/fr.
Two-years of free credit monitoring and identity protection through TransUnion is available to everyone affected.
We encourage customers to enroll in account alerts to help them keep track of activity on their accounts. Customers can sign in to online banking and set up text or email alerts, based on their preferences.
We also encourage customers to monitor their credit card accounts for unusual or suspicious activity that they do not recognize, and to call the phone number on the back of their Capital One card or on their statement as soon as possible, if they see unusual activity.
Capital One is not proactively calling, texting, or emailing customers to ask for account information or Social Security numbers related to this cyber incident. Customers should be mindful of the possibility of phishing emails and calls due to this incident. Tips on how to spot fraudulent emails / messages are on the Capital One website at Simple, Smart Ways to Prevent Identity Theft.
Phishing is an attempt to acquire personal information, sometimes to compromise online banking accounts by posing as a legitimate company in an electronic communication. These emails are not from Capital One. If you believe you have received a fraudulent email that claims to be from Capital One:
The FBI has arrested the person responsible for this cyber incident. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual.
This incident primarily impacted people who have applied for one of our credit card products as well as credit card customers. Our Auto Finance, Commercial Bank, and customers from our UK card businesses were not impacted.
We have sophisticated fraud systems in place to detect any unusual activity and protect our customers from unauthorized actions.
We are directly notifying by mail the U.S. individuals whose Social Security numbers or linked bank account numbers were accessed.
We are also directly notifying all Canadian customers affected. Canadian customers can find more information at www.capitalone.ca/facts2019 or www.capitalone.ca/facts2019/fr.
Two-years of free credit monitoring and identity protection through TransUnion is available to everyone affected.
Customers are encouraged to enroll in credit card account alerts to help them keep track of activity on their accounts. Customers can sign in to online banking and set up text or email alerts, based on their preferences.
Additionally, we encourage customers to monitor their credit card accounts for unusual or suspicious activity and, if they notice any activity that they do not recognize, to call the number on the back of their Capital One card or on their statement as soon as possible.
We do not proactively call customers asking for personal information and customers should be mindful of phishing emails and calls due to this incident. Tips on how to spot fraudulent emails / messages are on the Capital One website at Simple, Smart Ways to Prevent Identity Theft.
Phishing is an attempt to acquire personal information, sometimes to compromise online banking accounts by posing as a legitimate company in an electronic communication. These emails are not from Capital One. If you believe you have received a fraudulent email that claims to be from Capital One:
TransUnion’s credit monitoring and identity protection service monitors your credit reports at all three credit bureaus and alerts you when there are changes to any of your existing accounts, or if a new account is opened in your name (a new credit card or a car loan, for example). It also gives you frequent access to your credit history, so you can check your credit report as often as you like, at no cost to you.
Consumers enrolling in Capital One's offer of two years of TransUnion credit monitoring and identity protection do not waive any of their respective legal rights.
Customers should be mindful of phishing emails due to this incident. Tips on how to spot fraudulent emails / messages are on the Capital One website at Simple, Smart Ways to Prevent Identity Theft.
Phishing is an attempt to acquire personal information, sometimes to compromise online banking accounts by posing as a legitimate company in an electronic communication. These emails are not from Capital One. If you believe you have received a fraudulent email that claims to be from Capital One:
Capital One is not proactively calling, texting or emailing customers to ask for account information or Social Security numbers related to this cyber incident.
If you have provided personal information over the phone or clicked on links in a fraudulent email, follow these additional steps:
You can request a free copy of your credit report once every 12 months from each of the three national credit reporting agencies: Equifax, Experian and TransUnion.
To obtain free credit reports, simply visit www.annualcreditreport.com, call 1-877-322-8228, or complete the Annual Credit Report Request Form, which can be found here, and mail it to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.
Additionally, you can call the toll-free fraud number of any one of the three nationwide credit bureaus and place an initial or extended fraud alert on your credit report.
An initial fraud alert stays on your credit report for one year and acts as an alert to potential lenders. An extended fraud alert is intended for victims of identity theft and stays on your credit report for seven years.
We will update this site regularly and encourage anyone who may have any concerns about this incident to reach out to us at 1-800-227-4825.