100 million Capital One credit card applications hacked: What you need to know (and do next)

What happened, who’s affected, and what comes next

Capital One  >  hack
Max Kabakov / Getty Images / Capital One

Today's Best Tech Deals

Picked by PCWorld's Editors

Top Deals On Great Products

Picked by Techconnect's Editors

You can reset the “Days Since Hack” counter back to zero.

On Monday night, Capital One revealed that more than 100 million customers had their personal information hacked, including credit scores, credit limits, balances, payment history, and contact information, as well as 140,000 Social Security numbers and 80,000 linked bank account numbers of secured credit card customers.

Here’s what happened and what you can do to protect yourself:

How did the hack occur?

Capital One has divulged that there was “unauthorized access by an outside individual” who was able to obtain “certain types of personal information” relating to credit card applicants. It blamed the hack on a “configuration vulnerability” in its infrastructure that was hacked by a “highly sophisticated” attack. Capital One says that the vulnerability wasn’t cloud-based and “the elements of infrastructure involved are common to both cloud and on-premises data center environments.”

When did the hack occur?

Between March 22 and 23, 2019. It was originally reported to Capital One on July 17, 2019.

How was hack discovered?

The hack was found by an external security researcher through Capital One’s Responsible Disclosure Program. Capital One was able to verify the hack two days after it was reported, on July 19.

Has the flaw been fixed?

Capital One says it “immediately fixed the configuration vulnerability” and has been working with the FBI. That cooperation has led to one arrest, Seattle resident Paige A. Thompson, 33, who faces charges of computer fraud.

How many customers are affected?

According to Capital One’s analysis to date, the hack affected approximately 100 million individuals in the United States and approximately 6 million in Canada.

What data was stolen?

Capital One reports that the hack mostly pertained to information on consumers and small businesses as of the time they applied for one of the company’s credit cards from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Additionally, “fragments of transaction data” from a total of 23 days during 2016, 2017 and 2018 has also been compromised.

Are Social Security numbers part of the stolen data?

About 140,000 U.S. Social Security numbers and a million Canadian Social Insurance Numbers were compromised in this incident.

What about credit card numbers?

So far, no Capital One credit card numbers were stolen as part of this attack, but about 80,000 linked bank account numbers for U.S. customers were.

Shouldn’t such sensitive data have been encrypted?

It was, according to Capital One. However, “due to the particular circumstances of this incident,” the company says that the hacker was also able to decrypt the stolen data. Most Social Security numbers and account numbers were also tokenized and remained protected, according to Capital One. that accounts for the disparity between affected customer and stolen Social Security numbers.

Are the numbers of affected customers accurate?

For now, but if history is an indicator, the numbers reported by Capital One are probably low. The company will continue to investigate both internally and with the FBI to pinpoint how far-reaching this hack was.

What did the hacker do with the data?

The investigation is ongoing, but Capital One says “it is unlikely that the information was used for fraud or disseminated by this individual.”

How do I know if my data is part of the hack?

Capital One hasn’t set up a website to check yet, but the company says it “will notify affected individuals through a variety of channels.”

Is Capital One offering any compensation to affected customers?

The company says it will make free credit monitoring and identity protection available to everyone affected.

Should I change my Capital One password?

It can’t hurt, but there’s no indication here that the hack involved user accounts or passwords.

Should I cancel my Capital One credit card?

That’s certainly an option, but that probably won’t protect you in this instance. The stolen data was related to applications, not user account, so even if you closed the account, your data is still at risk.

How can I protect myself against a hack like this in the future?

There isn’t a whole lot you can do to prevent a hack of data that is stored on a financial institution’s server, but you can take steps to mitigate any issues. While Capital One says none of the data stolen was used to open fraudulent accounts, by staying on top of your credit, you can stop potential headaches before they grow too big. Any of the major credit card agencies let you order free reports ever 12 months, or you can subscribe to monitor your day-to-day credit. By staying on top of new accounts that seem fishy, you can shut them down before they wreak havoc on your finances.

For a more comprehensive list of steps to take, check out PCWorld’s guide to what to do after a data breach.

Note: When you purchase something after clicking links in our articles, we may earn a small commission. Read our affiliate link policy for more details.
Shop Tech Products at Amazon