A data breach to Capital One servers in March exposed the personal information of nearly 106 million of the bank’s customers and applicants. The hack, which included US and Canadian customers of the banking and credit card company, comes a week after the settlement reached between Equifax and the Federal Trade Commission concerning a hack in 2017 that affected 147 million customers.
According to Capital One, the breach on March 22 and 23, 2019, resulted in the hacker gaining access to personal information related to credit card applications from 2005 to early 2019 for consumers, applicants and small businesses. Capital One detected the breach on July 19. Among the personal data exposed were names, addresses, dates of birth, credit scores, transaction data, Social Security numbers and linked bank account numbers.
About 140,000 Social Security numbers and 80,000 linked bank account numbers were exposed, Capital One said. And for Canadian credit card customers and applicants, approximately 1 million Social Insurance Numbers. Capital One said, however, that no credit card account numbers or login credentials were revealed in the hack.
In response, Capital One said it will notify customers and credit card applicants whose data was exposed in the breach, and the Department of Justice announced it had charged a Seattle engineer in the theft.
Here’s how to find out if you were affected by the Capital One data breach and what you can do to protect yourself.
How to find out if your information was stolen
Capital One said it will contact by letter U.S. individuals whose Social Security numbers or linked bank account numbers were part of the hack. Affected individuals can probably expect to hear the week of August 5. At the moment, Capital One doesn’t have a website that lets you check for yourself, unlike with the tool Equifax released to see if you were part of its data breach.
Be on guard for emails and phone calls from scammers posing as Capital One or government representatives asking for credit card or account information, your Social Security number or other personal information.
What Capital One is doing about the hack
Capital One said it has fixed the exploit the hacker used to access the data and has worked with federal law enforcement on the breach. The banking company said it will reach out to customers who were part of the hack and will offer free credit monitoring and identity protection to those customers affected by the breach.
How to monitor your credit report for fraud
You don’t have to wait for Capital One to contact you: You can take several steps right now to watch for fraud.
Monitor your credit reports. You get one free credit report a year from the three major credit bureaus: Equifax, Experian and TransUnion. (Note that Equifax is recovering from its own data breach.) On your report, look for unusual or unfamiliar activity, such as the appearance of new accounts you didn’t open. And watch your credit card accounts and bank statements for unexpected charges and payments.
Sign up for a credit monitoring service. Pick a credit monitoring service that constantly monitors your credit report on major credit bureaus and alerts when it detects unusual activity. To help with the monitoring, you can set fraud alerts that notify you if someone is trying to use your identity to create credit. A credit-reporting service like LifeLock can cost $10 to $30 a month — or you could use a free service like the one from Credit Karma. Capital One said it will provide free credit monitoring and identity protection to all affected customers.
What to do if you suspect you’re a victim of fraud or identity theft
As soon as you suspect your ID has been stolen you can take action to stop unauthorized charges and start to recover your identity.
Place a fraud alert. If you suspect fraud, place a fraud alert with each of the credit reporting companies: Equifax, Experian and TransUnion. The alert notifies creditors that you have been a victim of fraud and lets them know to verify that you are actually making new credit requests in your name. You can place an initial fraud alert, which stays on your credit report for 90 days, or an extended fraud alert, which stays on your credit report for seven years. Placing a fraud alert does not affect your credit score.
Contact fraud departments. For each business and credit card company where you think an account was opened or charged without your knowledge, contact its fraud department. While you are not responsible for fraudulent charges to an account, you need to report the suspicious activity promptly.
Freeze your credit. If you want to stop anyone from opening credit and requesting loans and services in your name without your permission, you can freeze your credit. You will need to request a freeze with each of the three credit reporting companies, which again are Equifax, Experian and TransUnion. To apply for new credit, you need to unfreeeze your credit, again, through each of the credit reporting companies. You can either request a temporary lift of the freeze or unfreeze it permanently.
Document everything. Keep copies of all documents and expenses and records of your conversations about the theft.
Create a recovery plan. The Federal Trade Commission has a valuable tool that helps you report identity theft and recover your identity through a personal recovery plan.