Information on the Capital One Cyber Incident

Information on the Capital One cyber incident

Information on the Capital One cyber incident

English | Español

Important updates

April 22, 2022 update:
2019 Cyber Incident Settlement Reached. On February 7, 2022, a U.S. federal court preliminarily approved a class action settlement relating to the cyber incident Capital One announced in July 2019. Please visit www.CapitalOneSettlement.com for additional details.

February 22, 2021 update:
On January 27, 2021, as a result of Capital One’s ongoing analysis of the files stolen by the unauthorized individual in the 2019 Cybersecurity Incident, we discovered approximately 4,700 U.S. credit card customers or applicants whose Social Security Numbers were among the data accessed, but not previously known. Capital One is directly notifying these affected individuals and will make two years of free credit monitoring and identity protection available at no cost to them.

What happened

On July 19, 2019, we determined that an outside individual gained unauthorized access and obtained certain types of personal information about Capital One credit card customers and individuals who had applied for our credit card products.

What we've done

We immediately fixed the issue and promptly began working with federal law enforcement. The outside individual who took the data was captured by the FBI. The government has stated they believe the data has been recovered and that there is no evidence the data was used for fraud or shared by this individual.

Safeguarding information is essential to our mission and our role as a financial institution. We have invested heavily in cybersecurity and will continue to do so. We have incorporated the learnings from this incident to further strengthen our cyber defenses.

Richard D. Fairbank, Chairman and CEO

"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened...I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."

What's the impact

Based on our analysis, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.

Importantly, no credit card account numbers or log-in credentials were compromised and less than one percent of Social Security numbers were compromised. In addition, the outside individual who took the data was captured by the FBI. The government has stated they believe the data has been recovered and that there is no evidence the data was used for fraud or shared by this individual.

The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.

Beyond the credit card application data, the individual obtained portions of credit card customer data, including:

  • Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information.
  • Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018.

This information has been shared on Capital One’s website, servicing portal, press release and 8K filing.

The individual also obtained the following data:

  • About 140,000 Social Security numbers of our credit card customers.
  • About 80,000 linked bank account numbers of our secured credit card customers.

We have notified these customers through the mail.

For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident. We have notified all Canadian customers affected.

For our Canadian credit card customers, please visit our website at www.capitalone.ca/facts2019.

Frequently Asked Questions

On July 19, 2019, we determined that an outside individual gained unauthorized access and obtained certain types of personal information about Capital One credit card customers and individuals who had applied for our credit card products.

We immediately fixed the issue and promptly began working with federal law enforcement. The outside individual who took the data was captured by the FBI. The government has stated they believe the data has been recovered and that there is no evidence the data was used for fraud or shared by this individual.

Like many companies, we have a Responsible Disclosure Program which provides an avenue for ethical security researchers to report vulnerabilities directly to us. The configuration vulnerability was reported to us by an external security researcher through our Responsible Disclosure Program on July 17, 2019. We then began our own internal investigation, leading to the July 19, 2019, discovery of the incident.

On July 19, 2019, we determined that an outside individual gained unauthorized access and obtained certain types of personal information about Capital One credit card customers and individuals who had applied for our credit card products. This occurred on March 22 and 23, 2019.

The outside individual who took the data was captured by the FBI. The government has stated they believe the data has been recovered and that there is no evidence the data was used for fraud or shared by this individual.

We have directly notified by mail the U.S. individuals whose Social Security numbers or linked bank account numbers were accessed. We also have notified all Canadian customers affected. Canadian customers can find more information at www.capitalone.ca/facts2019 or www.capitalone.ca/facts2019/fr.

The outside individual who took the data was captured by the FBI. The government has stated they believe the data has been recovered and that there is no evidence the data was used for fraud or shared by this individual.

This incident primarily impacted people who have applied for one of our credit card products as well as credit card customers. Our Auto Finance, Commercial Bank, and customers from our UK card businesses were not impacted.

We have sophisticated fraud systems in place to detect any unusual activity and protect our customers from unauthorized actions.

We have notified by mail the U.S. individuals whose Social Security numbers or linked bank account numbers were accessed. We also have notified all Canadian customers affected. Canadian customers can find more information at www.capitalone.ca/facts2019 or www.capitalone.ca/facts2019/fr.

Customers are encouraged to enroll in credit card account alerts to help them keep track of activity on their accounts. Customers can sign in to online banking and set up text or email alerts, based on their preferences.

Additionally, we encourage customers to monitor their credit card accounts for unusual or suspicious activity and, if they notice any activity that they do not recognize, to call the number on the back of their Capital One card or on their statement as soon as possible.

You can request a free copy of your credit report once every 12 months from each of the three national credit reporting agencies: Equifax, Experian and TransUnion.

  • Once you receive your reports, review them for suspicious activity, such as inquiries from companies you did not contact, accounts you did not open, and debts on your accounts that you did not authorize.
  • Verify the accuracy of your Social Security number, address(es), complete name and employer(s).
  • Notify the credit bureaus if any information is incorrect in order to have it corrected or deleted.

To obtain free credit reports, simply visit www.annualcreditreport.com, call 1-877-322-8228, or complete the Annual Credit Report Request Form, which can be found here, and mail it to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281.

Additionally, you can call the toll-free fraud number of any one of the three nationwide credit bureaus and place an initial or extended fraud alert on your credit report.

  • Equifax: 1-800-525-6285; Equifax Information Services LLC, P.O. Box 105069, Atlanta, GA 30348-5069
  • Experian: 1-888-EXPERIAN (397-3742); P.O. Box 9532, Allen, TX 75013
  • TransUnion: 1-800-680-7289; Fraud Victim Assistance Department, P.O. Box 2000, Chester, PA 19016

An initial fraud alert stays on your credit report for one year and acts as an alert to potential lenders. An extended fraud alert is intended for victims of identity theft and stays on your credit report for seven years.

We have notified by mail all individuals whose Social Security numbers or linked bank account numbers were accessed. The outside individual who took the data was captured by the FBI. The government has stated they believe the data has been recovered and that there is no evidence the data was used for fraud or shared by this individual.