To give you the best possible experience, this site uses cookies. You’re agreeing to the terms of our Privacy Policy by continuing to use the site. Learn how to disable cookies.

As of September 23, 2019, we’ve completed the process of notifying Canadians affected by the cyber incident by email or mail. Be aware that we will not contact anyone by phone or text regarding this incident.

Updated noon ET, Monday, September 23, 2019.

On July 19, 2019, we determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for our credit card products, and to Capital One credit card customers.

We immediately fixed the issue and began working with the United States Federal Bureau of Investigation (FBI). The outside individual who took the data was captured by the FBI. The United States government has stated that they believe the data has been recovered and that there is no evidence that it was used for fraud or was disseminated by this individual.

We are working closely with relevant Canadian and American authorities, including the Office of the Privacy Commissioner of Canada, to protect affected individuals. We’ll make free credit monitoring and identity theft insurance available to everyone affected.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard D. Fairbank, Founder, Chairman and CEO. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

Current analysis suggests this event affected approximately 6 million individuals in Canada and approximately 100 million in the United States. The largest category of information was of consumers as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, postal codes, phone numbers, email addresses, dates of birth and income.

No login credentials were compromised. Beyond the credit card application data, the individual also obtained portions of customer data, including the following:

  • Social Insurance Numbers of approximately 1 million Canadian credit card customers
  • Customer status data, e.g., credit scores, credit limits, balances, payment history and contact information
  • Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

As of September 23, 2019, we’ve completed the process of notifying Canadians affected by the cyber incident by email or mail. Be aware that we will not contact anyone by phone or text regarding this incident.

Safeguarding our applicants’ and customers’ information is essential to our mission and our role as a financial institution. We’ve invested heavily in cybersecurity and will continue to strengthen our cyber defences.

The investigation is ongoing and analysis is subject to change. As we learn more, we will update this website and provide additional information.

For our U.S. credit card customers, please visit this web page.

If you’d like to speak with an agent, call 1‑833‑727‑1234.

Q&A

  • ‏1) What happened?

    On July 19, 2019, we determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for our credit card products, and to Capital One credit card customers.

    We immediately fixed the issue and began working with the United States Federal Bureau of Investigation (FBI). The outside individual who took the data was captured by the FBI. The United States government has stated that they believe the data has been recovered and that there is no evidence that it was used for fraud or was disseminated by this individual.

  • 2) How did you discover the incident?

    Like many companies, we have a Responsible Disclosure Program which provides an avenue for ethical security researchers to report vulnerabilities directly to us. The configuration vulnerability was reported to us by an external security researcher through our Responsible Disclosure Program on July 17, 2019. We then began our own internal investigation, leading to the July 19, 2019, discovery of the incident.

  • 3) When did this occur?

    On July 19, 2019, we determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for credit card products and Capital One credit card customers. This occurred on March 22 and 23, 2019.

  • 4) Has my information been accessed?

    As of September 23, 2019, we’ve completed the process of notifying Canadians affected by the cyber incident by email or mail.

    We will make free credit monitoring and identity theft insurance available to everyone affected.

    The outside individual who took the data was captured by the FBI. The United States government has stated that they believe the data has been recovered and that there is no evidence that it was used for fraud or was disseminated by this individual.

  • 5) What kind of information was accessed?

    Compromised data includes Canadian credit card application data and portions of credit card customer data, including approximately 1 million Canadian Social Insurance Numbers, credit scores, credit limits, balances, payment history, contact information, and fragments of transaction data from a total of 23 days during 2016, 2017 and 2018.

  • 6) Who is responsible for this cyber incident?

    The outside individual who took the data was captured by the FBI. The United States government has stated that they believe the data has been recovered and that there is no evidence that it was used for fraud or was disseminated by this individual.

  • 7) What is Capital One doing to protect me after this incident? How can I sign up for credit monitoring/identity theft insurance services?

    As of September 23, 2019, we’ve completed the process of notifying Canadians affected by the cyber incident by email or mail. We’re providing 2 years of free credit monitoring and identity theft insurance from TransUnion® to everyone impacted.

    To enrol in this service, use the activation code found within the email or letter you received and follow the steps provided. Should you have any questions regarding the TransUnion myTrueIdentity solution or have difficulty enrolling, please contact TransUnion at 1‑888‑228‑4939, Monday-Friday, 8:30 a.m. to 5 p.m. ET (excluding holidays).

    We have sophisticated anti-fraud systems in place that constantly monitor our systems and cyber defences to detect any unusual activity and protect our customers from unauthorized actions.

    Capital One customers are encouraged to enrol in account alerts to help them keep track of activity on their accounts. Customers can sign in to online banking and set up text or email alerts, and also enrol in push notifications for real-time transaction alerts via our mobile app.

    Identity theft insurance underwritten by AIG Insurance Company of Canada.

  • 8) I didn’t receive an email or letter about the incident – does that mean my information hasn’t been affected?

    As of September 23, 2019, we’ve completed the process of notifying Canadians affected by the cyber incident by email or mail. Be aware that we will not contact anyone by phone or text regarding this incident.

    If you have questions or concerns, please call us at 1-833-727-1234.

    The email and letter will include information on how those affected can access the 2 years of free credit monitoring and identity theft insurance from TransUnion that we’re providing.

    Please note that the outside individual who took the data was captured by the FBI. The United States government has stated that they believe the data has been recovered and that there is no evidence that it was used for fraud or was disseminated by this individual.

  • 9) How do you handle my personal information?

    As a global company, Capital One handles consumer data with the same high level of rigour.

    We are transparent with consumers through our disclosures regarding what personal information we collect, and our practices concerning the care and handling of their information. We collect consumer data to process credit card applications, and to manage and service credit card accounts.

    To learn more, please refer to our Privacy Policy.

  • 10) I think I received a scam email related to Capital One’s cyber incident. What do I need to do?

    Customers should be mindful of phishing emails due to this incident. Phishing is an attempt to acquire personal information, sometimes to compromise online banking accounts by posing as a legitimate company in an electronic communication. These emails are not from Capital One. If you believe you have received a fraudulent email that claims to be from Capital One:

    • Do not reply to the email

    • Do not click on any of the links embedded in the email

    • Forward the email to abuse@capitalone.com

    • After forwarding the email to Capital One for investigation, delete it

    • Be sure to monitor your account and call us if you notice any unusual activity

    Visit our Fraud Protection page for tips on how to spot fraudulent emails/messages.

  • 11) I received a call or text from Capital One related to this cyber incident asking for my information. What should I do?

    Capital One is not calling or texting customers regarding the cyber incident and is not asking for credit card or account information, or Social Insurance Numbers over the phone or via email.

    If you have provided personal information over the phone or in response to a fraudulent text message, follow these additional steps:

    1. Call us immediately to report that your account information may have been compromised.

    2. Sign in to Capital One online banking and change your password.

    3. Check your accounts for suspicious activity.

  • 12) I’m a Capital One cardholder. What can I do to protect my account?

    Capital One customers are encouraged to enrol in account alerts to help them keep track of activity on their accounts. Customers can sign in to online banking and set up text or email alerts, and also enrol in push notifications for real-time transaction alerts via our mobile app.

    Additionally, we encourage customers to monitor their accounts for unusual or suspicious activity and, if they notice any activity that they do not recognize, to call the number on the back of their Capital One card or on their statement as soon as possible.

  • 13) Are there any additional steps I can take to protect myself against fraud and identity theft?

    You can order a copy of your credit report from either of the credit reporting agencies in Canada, Equifax Canada and TransUnion Canada. Each credit reporting agency may have different information about how you have used credit in the past.

    • Once you receive your reports, review them for suspicious activity, such as inquiries from companies you did not contact, accounts you did not open, and debts on your accounts that you did not authorize

    • Verify the accuracy of your Social Insurance Number, address(es), complete name and employer(s)

    • Notify the credit reporting agencies if any information is incorrect in order to have it corrected or deleted

    You can order a copy of your report by mail, fax or telephone:

    • Make your request in writing using the forms provided by Equifax® and TransUnion

    • Call the credit reporting agency and follow the agent’s instructions

      • Equifax Canada
        Call: 1‑800‑465‑7166

      • TransUnion Canada
        Call: 1‑800‑663‑9980 (Canadian residents, excluding residents of Quebec)
        Call: 1‑877‑713‑3393 (Quebec residents)

    For more information on credit monitoring and requesting your report, please visit the Financial Consumer of Agency of Canada’s website.

    Additionally, you can request that both credit reporting agencies in Canada (Equifax or TransUnion) place a fraud alert on your credit report. The alert will stay for six years with either agency.

    • To place a fraud alert on your TransUnion credit file, complete this form, and submit the completed form and ID photocopies by mail or fax. You can also call TransUnion at 1‑800‑663‑9980.

    • To place a fraud alert on your Equifax credit file, please call Equifax at 1‑800‑465‑7166.