Capital One Data Breach Affects 100 Million Credit Card Applications

Fresh off of the heels of the announcement of Equifax’s data breach settlement, on Monday it was announced that 100 million applicants of Capital One’s credit card products were affected by a breach as well.

Devlin Barrett, writing for The Washington Post:

Capital One, the Virginia-based bank with a popular credit card business, announced Monday that a hacker had accessed about 100 million credit card applications, and investigators say thousands of Social Security and bank account numbers were also taken.

The FBI has arrested a Seattle area woman, Paige A. Thompson, on a charge of computer fraud and abuse, according to court records.

The hack appears to be one of the largest data breaches ever to hit a financial services firm. In 2017, the credit-reporting company Equifax disclosed that hackers had stolen the personal information of 147 million people. Last week, it reached a $700 million settlement with U.S. regulators over that breach.

Capital One is saying that the hack is expected to cost them to the tune of $100 million and $150 million in the near term.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard D. Fairbank, Capital One’s chairman and CEO. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

As part of the breach announcement, Capital One stated that no credit card numbers or log-in credentials had been compromised, nor was the vast majority of Social Security numbers on the affected applications.

USA Today has a great summary about steps that can be taken and what else you need to know.

Here are some additional tips and steps to take from the site, WalletHub, if you think you may have been impacted.

In the aftermath of Capital One’s announcement on Monday that roughly 100 million credit card applications had been compromised in a data breach, exposing an estimated 77,000 bank account numbers and 140,000 Social Security numbers, many consumers likely have questions and concerns for their own wallets. With that in mind, the free-credit-score website WalletHub has some tips for how potential victims can keep their financial info safe.

Sign up for 24/7 credit monitoring – This way, you’ll find out immediately if someone tries to open an account in your name. WalletHub, for example, offers free 24/7 monitoring of your TransUnion credit report.
Enable Two-Factor Authentication – Capital One was hacked, but your cell phone wasn’t. So use it as another layer of protection when logging into your email account and financial websites.
A Freeze Is Better Than an Alert – It probably isn’t necessary in this case, but if you really want to protect yourself from fraudulent borrowing, freeze your three major credit reports (Equifax, Experian and TransUnion). This will prevent anyone but you from accessing them, thus making it impossible to take out a loan or line of credit. A fraud alert, in contrast, doesn’t actually do much.
Suppress Fraudulent Info – While you can dispute run-of-the-mill credit report inaccuracies, it’s best to use a process called “suppression” / “blocking” to get rid of negative info resulting from identity theft. In short, this makes it so the records in question can’t make reappearance after they’re initially removed.
Never Respond to Unsolicited Requests for Information – Don’t be surprised if you see an uptick in unsolicited calls and emails requesting personal information. Just remember: Never answer if you didn’t ask to be contacted.

For more advice, check out WalletHub’s identity theft guide as well as the steps you should take if your identity is stolen.

WalletHub also included a brief Q&A with their CEO, Odysseas Papadimitriou, a former senior director at CapitalOne.

Does this mean it's not safe to apply for a Capital One credit card?

“I don’t believe that people should avoid applying for Capital One credit cards because of this breach. Pretty much any other big company could easily be in Capital One’s shoes right now, as they’re all under digital fire from hackers. You actually have to give Capital One some credit for how they’ve handled the issue thus far. They assisted in the swift apprehension of the perpetrator and were transparent in their announcement,” said WalletHub CEO Odysseas Papadimitriou. “Capital One has been among the most technologically sophisticated credit card companies for years, and you can bet they will double down on making this type of breach as unlikely as possible in the future. Given that, and the fact that Capital One credit cards are some of the best on the market, there’s no need for consumers to stay away.”

How worried should recent Capital One credit card applicants be?

“Recent Capital One credit card applicants should certainly be more worried than usual, and especially vigilant, following the company’s data breach,” said WalletHub CEO Odysseas Papadimitriou. “But the bottom line is that most people’s personal information has probably already been stolen at least once, considering the many big data breaches that have occurred in recent years. So we should all be worried, and we should all sign up for free 24/7 credit monitoring, set up two-factor authentication, and review our credit card and bank statements closely.”

What explains Social Security numbers being stolen from business credit card applications?

“Some people may find it curious that the roughly 144,000 Social Security numbers stolen in Capital One’s data breach were from applications for business credit cards. But that’s actually standard. Nearly all small business credit cards require applicants to list their Social Security number,” said WalletHub CEO Odysseas Papadimitriou. “The reason is that most small businesses are an extension of their owner’s personal finances, and applicants generally have more personal credit history to evaluate. Business owners are also held personally liable for business credit card balances. ”