Date: July 29, 2019, updated July 31, 2019
On July 19, 2019, we determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for our credit card products, and to Capital One credit card customers.We immediately fixed the configuration vulnerability that this individual exploited and began working with the United States Federal Bureau of Investigation (FBI), leading to the arrest of the individual on July 29, 2019. The individual is now in custody. We are working closely with relevant Canadian and American authorities, including the Office of the Privacy Commissioner of Canada, to protect affected individuals. We will make free credit monitoring and identity theft insurance available to everyone affected.
“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard D. Fairbank, Founder, Chairman and CEO. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.Current analysis suggests this event affected approximately 6 million individuals in Canada and approximately 100 million in the United States. The largest category of information was of consumers as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, postal codes, phone numbers, email addresses, dates of birth, and income.
No log-in credentials were compromised. Beyond the credit card application data, the individual also obtained portions of customer data, including:
- Social Insurance Numbers of approximately 1 million Canadian credit card customers
- Customer status data, e.g., credit scores, credit limits, balances, payment history, and contact information
- Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018
We will notify affected individuals directly.
Safeguarding our applicants and customers’ information is essential to our mission and our role as a financial institution. We have invested heavily in cybersecurity and will continue to strengthen our cyber defences.
The investigation is ongoing and analysis is subject to change. As we learn more, we will update this website and provide additional information.
If you’d like to speak with an agent, call 1‑833‑727‑1234.
1) What happened?
On July 19, 2019, we determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for our credit card products, and to Capital One credit card customers.We immediately fixed the configuration vulnerability that this individual exploited and promptly began working with United States federal law enforcement. The FBI has arrested the person responsible. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.
2) How did you discover the incident?Like many companies, we have a responsible disclosure program which provides an avenue for ethical security researchers to report vulnerabilities directly to us. The configuration vulnerability was reported to us by an external security researcher through our Responsible Disclosure Program on July 17, 2019. We then began our own internal investigation, leading to the July 19, 2019, discovery of the incident.
3) When did this occur?
On July 19, 2019, we determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for credit card products and Capital One credit card customers.
4) Has my information been accessed?
We will notify affected individuals directly. We will make free credit monitoring and identity theft insurance available to everyone affected.
Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.
We are also encouraging customers to enrol in account alerts to help them keep track of activity on their accounts. Customers can sign in to online banking and set up text or email alerts, based on their preferences.
We also encourage customers to monitor their credit card accounts for unusual or suspicious activity that they do not recognize, and to call the phone number on the back of their Capital One card or on their statement as soon as possible, if they see unusual activity.
We do not call or text customers asking for personal information, and customers should be mindful of the possibility of phishing emails and calls due to this incident. Tips on how to spot fraudulent emails / messages are available on the Capital One website at https://www.capitalone.ca/help/fraud-protection/ .
Phishing is an attempt to acquire personal information, sometimes to compromise online banking accounts by posing as a legitimate company in an electronic communication. These emails are not from Capital One. If you believe you have received a fraudulent email that claims to be from Capital One:
- Do not reply to the email
- Do not click on any of the links embedded in the email
- Forward the email to [email protected]
- After forwarding the email to Capital One for investigation, delete it
- Be sure to monitor your account and call us if you notice any unusual activity
5) What kind of information was accessed?Compromised data includes Canadian credit card application data and portions of credit card customer data, including approximately 1 million Canadian Social Insurance Numbers, credit scores, credit limits, balances, payment history, contact information, and fragments of transaction data from a total of 23 days during 2016, 2017 and 2018.
6) Who is responsible for this cyber incident?
The FBI has arrested the person responsible for this cyber incident and the individual is in custody. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual.
7) Does this incident impact customers from your other businesses?
This incident primarily impacted people who have applied for our credit card products.
8) What is Capital One doing to protect me after this incident? How can I sign up for credit monitoring / identity theft insurance services?
We have sophisticated anti-fraud systems in place that constantly monitor our systems and cyber defences to detect any unusual activity and protect our customers from unauthorized actions.
We will notify affected individuals through a variety of channels. Free credit monitoring and identity theft insurance will be made available to everyone impacted.
Customers are encouraged to enrol in account alerts to help them keep track of activity on their accounts. Customers can sign in to online banking and set up text or email alerts, and also enrol in push notifications for real-time transaction alerts via our mobile app.
Additionally, we encourage customers to monitor their accounts for unusual or suspicious activity and, if they notice any activity that they do not recognize, to call the number on the back of their Capital One card or on their statement as soon as possible.
9) What information do you have on file for me?
Your privacy is important to us.
We collect information you provide to us when you register or apply for one of our products or services, visit or use our website or apps, interact with us, or engage with us in order to provide you with the best service and support.
10) Was the data encrypted or tokenized?We encrypt our data as a standard. In addition, it is our practice to tokenize select sensitive data fields, most notably Social Insurance Numbers and credit card account numbers. Tokenization involves the substitution of the sensitive field with a cryptographically generated replacement. The method and keys to unlock the tokenized fields are different from those used to encrypt the data.
Due to the particular circumstances of this incident, the unauthorized access also enabled the decrypting of the data.
11) Where is my information being stored?
As a global company, Capital One handles consumer data with the same high level of rigour.We are transparent with consumers through our disclosures regarding our practices concerning the care and handling of their information. We retain customer and applicant information at data centres in Canada and the United States. We do this to process credit card applications, and to manage and service credit card accounts.
12) I think I received a scam email related to Capital One's cyber incident. What do I need to do?
Customers should be mindful of phishing emails due to this incident. Tips on how to spot fraudulent emails / messages are on the Capital One website at https://www.capitalone.ca/help/fraud-protection/ .
13) I received a call or text from Capital One related to this cyber incident asking for my information. What should I do?Capital One is not calling or texting customers regarding the cyber incident and is not asking for credit card or account information, or Social Insurance Numbers over the phone or via email.
If you have provided personal information over the phone or clicked on links in a fraudulent email, follow these additional steps:
- Call us immediately to report that your account information may have been compromised.
- Sign in to Capital One Online Banking and change your password.
- Check your accounts for suspicious activity.
- Update and run anti-virus software on your computer.
14) Are there any additional steps that I can take to protect myself against fraud and identity theft?You can order a copy of your credit report from either of the credit bureaus in Canada, Equifax Canada and TransUnion Canada. Each credit bureau may have different information about how you have used credit in the past.
- Once you receive your reports, review them for suspicious activity, such as inquiries from companies you did not contact, accounts you did not open, and debts on your accounts that you did not authorize
- Verify the accuracy of your Social Insurance Number, address(es), complete name and employer(s)
- Notify the credit bureaus if any information is incorrect in order to have it corrected or deleted
You can order a copy of your report by mail, fax or telephone:
- Make your request in writing using the forms provided by Equifax and TransUnion
- Call the credit bureau and follow the instructions
- Equifax Canada
- TransUnion Canada
Tel: 1‑800‑663‑9980 (except Quebec)
Tel: 1‑877‑713‑3393 (Quebec residents)
- Equifax Canada
Additionally, you can request either credit bureau in Canada (Equifax or TransUnion) to place a fraud alert on your credit report. The alert will stay for six years with either bureau.
On March 29, Earl Enterprises announced that visitors to its chain restaurants may have had their credit card information stolen. If you ate out at specific Buca di Beppo, Chicken Guy!, Earl of Sandwich, Mixology, Planet Hollywood, or Tequila Taqueria, you may have had your credit or debit card information stolen.
- You can place a fraud alert on your TransUnion® credit account by completing this form. You can submit the completed form and ID photocopies by mail or fax. You can also call TransUnion at 1‑800‑663‑9980.
- To place a fraud alert on your Equifax® credit account, please call Equifax at 1‑800‑465‑7166.
15) How may I contact Capital One?
We’ll continue to update this site with developments as new information becomes available. If you’d like to speak with an agent, call 1‑833‑727‑1234.
If you are in the United States, please visit www.capitalone.com/facts2019.