The breach stands to be one of the worst for U.S. consumers because of the type of financial information that was accessed. This valuable consumer financial information can be used to figure out the identities of the most creditworthy or affluent consumers and open a card or loans in their names.
Here’s what you need to know if you have a Capital One credit card or have applied for one in the past, and how to protect your accounts and information.
• I have a Capital One credit card. What happened?
Sensitive identity information about consumers and small businesses who applied for Capital One credit cards between 2005 and 2019 was exposed. So if you have a Capital One credit card, or have applied for one in that time frame, your information is part of this data breach.
The information leaked includes names, addresses, ZIP Codes, phone numbers, email addresses, dates of birth and self-reported income, the bank said. Consumer data including credit scores, credit limits, balances, payment history and some transaction data are also part of the breach. Also exposed were about 140,000 Social Security numbers and 80,000 linked bank account numbers.
•What can someone do with this info?
This information can be used to apply for credit cards. Currently, Capital One says it’s unlikely that the stolen information was sold or disseminated.
From an identity-theft perspective, the Capital One breach is less widespread than the Equifax hack because more Social Security numbers were compromised in the Equifax breach. Someone having your Social Security number means they can more easily spin up an unauthorized account in your name, said CreditCards.com industry analyst Ted Rossman.
Still, the data in the Capital One hack is some of the most valuable information about consumers and their credit standing.
• What should I do now?
There are three things those who either have a Capital One credit card or applied for one should do immediately.
First, freeze your credit. This is the most important step to protecting your information. You can call Equifax, Experian or TransUnion or go to their websites to do this online.
Freezing your credit will prevent new lines of credit from being opened in your name, and it doesn’t affect your credit score. It is free and guaranteed by federal law. Credit-reporting agencies must freeze your credit within one business day if you make the request by phone. Be sure to write down the PIN the credit bureau gives you when you freeze your credit so you can lift the freeze. You can also place a fraud alert when you’re contacting the credit bureaus, which will make it harder for someone to open an account or credit card in your name.
Then, change your passwords. Though Capital One says login information wasn’t compromised in this hack, reusing old passwords is a major security vulnerability. More than eight in 10 Americans reuse passwords online, according to a 2019 poll from CreditCards.com.
After that, set up two-factor authentication for all your financial profiles and online accounts. Having to log in via a code sent to your cellphone is another barrier to keep your information safe from hackers.
Lastly, monitor your credit-card activity and credit reports. Capital One said they’ll notify everyone affected in the hack “through a variety of channels,” and for the people compromised, they’ll also be offering free credit monitoring and identity protection.
• Will I get called or emailed about this data breach?
Capital One says it isn’t calling customers about this incident. The bank says you shouldn’t give out personal information over the phone or email if you are contacted about this data breach.
• What else can I do?
The investigation is ongoing, so the best thing for Capital One credit-card holders to do is to keep following the story. You can also check the Capital One website for customer updates.
Even if you weren’t compromised in this hack, Mr. Rossman said these steps can help everyone protect their information against future breaches.
“I think these things are all good steps in general, even beyond Capital One,” he said. “I would just assume your data is out there, whether it’s this or Equifax or
…This isn’t the first and it won’t be the last.”
Contacting the Agencies
—AnnaMaria Andriotis contributed to this article.
Write to Julia Carpenter at [email protected]
Copyright ©2019 Dow Jones & Company, Inc. All Rights Reserved. 87990cbe856818d5eddac44c7b1cdeb8