2019 Capital One Cyber Incident

Ben Breitbart

As a result of Capital One’s ongoing analysis of the files stolen by the unauthorized individual in the 2019 cybersecurity incident, we recently discovered some additional Canadian card customers and applicants who were affected, though the numbers are not such that they impact our initial announced disclosures. We are directly notifying those affected and will make two years of free credit monitoring and identity theft insurance available at no cost to them.

Updated noon ET, Friday, April 16, 2021.

On July 19, 2019, we determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for our credit card products, and to Capital One credit card customers.

We immediately fixed the issue and began working with the United States Federal Bureau of Investigation (FBI). The outside individual who took the data was captured by the FBI. The United States government has stated that they believe the data has been recovered and that there is no evidence that it was used for fraud or was disseminated by this individual.

We are working closely with relevant Canadian and American authorities, including the Office of the Privacy Commissioner of Canada, to protect affected individuals. We’ll make free credit monitoring and identity theft insurance available to everyone affected.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard D. Fairbank, Founder, Chairman and CEO. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

Current analysis suggests this event affected approximately 6 million individuals in Canada and approximately 100 million in the United States. The largest category of information was of consumers as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, postal codes, phone numbers, email addresses, dates of birth and income.

No login credentials were compromised. Beyond the credit card application data, the individual also obtained portions of customer data, including the following:

Social Insurance Numbers of approximately 1 million Canadian credit card customers
Customer status data (e.g., credit scores, credit limits, balances, payment history and contact information)
Personal information, including address data, employers and occupations
Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

Be aware that we will not contact anyone by phone or text regarding this incident.

Safeguarding our applicants’ and customers’ information is essential to our mission and our role as a financial institution. We’ve invested heavily in cybersecurity and will continue to strengthen our cyber defences.

The investigation is ongoing and analysis is subject to change. As we learn more, we will update this website and provide additional information.

Please be advised that class action proceedings have been commenced relating to the cybersecurity incident.

If you’d like to speak with an agent, call 1‑833‑727‑1234.

Q&A

‏1) What happened?

‏2) How did you discover the incident?

Like many companies, we have a Responsible Disclosure Program which provides an avenue for ethical security researchers to report vulnerabilities directly to us. The configuration vulnerability was reported to us by an external security researcher through our Responsible Disclosure Program on July 17, 2019. We then began our own internal investigation, leading to the July 19, 2019, discovery of the incident.

‏3) When did this occur?

On July 19, 2019, we determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for credit card products and Capital One credit card customers. This occurred on March 22 and 23, 2019.

‏4) What kind of information was accessed?

Compromised data includes Canadian credit card application data (e.g., personal information, including names, addresses, postal codes, phone numbers, email addresses, dates of birth and income), portions of credit card customer data, including personal information (e.g., address data, employers and occupations), approximately 1 million Canadian Social Insurance Numbers, customer status data (e.g., credit scores, credit limits, balances, payment history and contact information), and fragments of transaction data from a total of 23 days during 2016, 2017 and 2018.

‏5) Who is responsible for this cyber incident?

The outside individual who took the data was captured by the FBI. The United States government has stated that they believe the data has been recovered and that there is no evidence that it was used for fraud or was disseminated by this individual.

‏6) What is Capital One doing to protect me after this incident? How can I sign up for credit monitoring/identity theft insurance services?

We’re providing 2 years of free credit monitoring and identity theft insurance^† from TransUnion^® to everyone impacted.

To enrol in this service, use the activation code found within the email or letter you received and follow the steps provided. Should you have any questions regarding the TransUnion myTrueIdentity™ solution or have difficulty enrolling, please contact TransUnion at 1‑888‑228‑4939, Monday-Friday, 8:30 a.m. to 5 p.m. ET (excluding holidays).

We have sophisticated anti-fraud systems in place that constantly monitor our systems and cyber defences to detect any unusual activity and protect our customers from unauthorized actions.

Capital One customers are encouraged to enrol in account alerts to help them keep track of activity on their accounts. Customers can sign in to online banking and set up text or email alerts, and also enrol in push notifications for real-time transaction alerts via our mobile app.

^† Identity theft insurance underwritten by AIG Insurance Company of Canada.

‏7) How do you handle my personal information?

As a global company, Capital One handles consumer data with a high level of rigour.

We are transparent with consumers through our disclosures regarding what personal information we collect, and our practices concerning the care and handling of their information. We collect consumer data to process credit card applications, and to manage and service credit card accounts.

To learn more, please refer to our Privacy Policy.

‏8) I think I received a scam email related to Capital One’s cyber incident. What do I need to do?

Customers should be mindful of phishing emails due to this incident. Phishing is an attempt to acquire personal information, sometimes to compromise online banking accounts by posing as a legitimate company in an electronic communication. These emails are not from Capital One. If you believe you have received a fraudulent email that claims to be from Capital One:

Do not reply to the email
Do not click on any of the links embedded in the email
Forward the email to abuse@capitalone.com
After forwarding the email to Capital One for investigation, delete it
Be sure to monitor your account and call us if you notice any unusual activity

Visit our Fraud Protection page for tips on how to spot fraudulent emails/messages.

‏9) I received a call or text from Capital One related to this cyber incident asking for my information. What should I do?

Capital One is not calling or texting customers regarding the cyber incident and is not asking for credit card or account information, or Social Insurance Numbers over the phone or via email.

If you have provided personal information over the phone or in response to a fraudulent text message, follow these additional steps:

Call us immediately to report that your account information may have been compromised.
Sign in to Capital One online banking and change your password.
Check your accounts for suspicious activity.

‏10) I’m a Capital One cardholder. What can I do to protect my account?

Additionally, we encourage customers to monitor their accounts for unusual or suspicious activity and, if they notice any activity that they do not recognize, to call the number on the back of their Capital One card or on their statement as soon as possible.

‏11) Are there any additional steps I can take to protect myself against fraud and identity theft?

You can order a copy of your credit report from either of the credit reporting agencies in Canada, Equifax Canada and TransUnion Canada. Each credit reporting agency may have different information about how you have used credit in the past.

Once you receive your reports, review them for suspicious activity, such as inquiries from companies you did not contact, accounts you did not open, and debts on your accounts that you did not authorize
Verify the accuracy of your Social Insurance Number, address(es), complete name and employer(s)
Notify the credit reporting agencies if any information is incorrect in order to have it corrected or deleted

You can order a copy of your report by mail, fax or telephone:

Make your request in writing using the forms provided by Equifax® and TransUnion
Call the credit reporting agency and follow the agent’s instructions
- Equifax Canada
  - Call: 1‑800‑465‑7166
- TransUnion Canada
  - Call: 1‑800‑663‑9980 (Canadian residents, excluding residents of Quebec)
  - Call: 1‑877‑713‑3393 (Quebec residents)

For more information on credit monitoring and requesting your report, please visit the Financial Consumer Agency of Canada’s website.

Additionally, you can request that both credit reporting agencies in Canada (Equifax or TransUnion) place a fraud alert on your credit report. The alert will stay for six years with either agency.

To place a fraud alert on your TransUnion credit file, complete this form, and submit the completed form and ID photocopies by mail or fax. You can also call TransUnion at 1‑800‑663‑9980.
To place a fraud alert on your Equifax credit file, please call Equifax at 1‑800‑465‑7166.