Capital One Bank Suffers Colossal Hack


By Gille Ann Rabbin, Esq., CIPP/US


On the heels of the recent announcement that Equifax has agreed to pay up to $700 million as part of a global settlement over its massive 2017 breach, Capital One announced that it was the victim of a cyber attack by a hacker who broke into a cloud server through a misconfigured firewall. As a result of Capital One’s breach, personal information of 106 million U.S. and Canadian consumers was compromised. 

Capital One discovered the breach in late July after the hacker posted details online. Information accessed includes names, addresses, dates of birth, credit card application info, bank account information and numbers, and Social Security and Canadian Social Insurance numbers.

Capital One notified the FBI once it discovered the breach and is continuing to investigate. Its website states it will notify breach victims through the mail (Canadians will be notified “directly”) and will offer free credit monitoring and identity protection.  The site also states the vulnerability exploited by the hacker was identified and fixed.

Capital One claims its analysis shows it’s unlikely the breached information was used for fraud or disseminated. Nonetheless, if you’re a victim, take steps to protect yourself.

Don’t panic. Read the notice, which will tell you the protections offered, and strongly consider signing up for them.

Be on the lookout for suspicious activity, like calls from scammers. Capital One is not calling breach victims to ask them for personal information; don’t give out info to a caller claiming to be from Capital One and requesting information.

Also be wary of scam emails targeting breach victims. These could be sham “phishing” emails designed to get you to click on a link and transmit personal information to scammers.

Monitor credit card, bank, monthly bills, financial statements, credit reports and scores regularly. If you see signs of fraud, report this immediately to the affected organization by phone and certified mail. If you’re a breach victim, consider having Capital One close your existing bank accounts and open new ones; cancel your Capital One credit cards and ask that they be reissued. Use fresh passwords. Sign up for activity alerts and texts for the new accounts. Additionally, sign up for activity notifications for accounts and credit cards you have at other banks.

Consider obtaining a “fraud alert” and “security freeze.” When the three major credit reporting agencies (Equifax, TransUnion, Experian) place a fraud alert in your file, a business will need to verify your identity before it issues credit. The alert needs to be renewed annually. The placement of a security freeze in your credit file is intended to prevent new credit accounts from being opened in your name; no credit account can be established unless you authorize it by lifting the freeze.

Capital One has provided a hotline, 1-800-227-4825, to assist consumers and answer questions, and a website,  (Type the address carefully to avoid making typos and falling victim to typosquatters who set up sham websites to capture your personal information.)

Unfortunately, notwithstanding federal and state laws requiring data security, the financial services sector has experienced more breaches than any other industry. The multitude of interconnected systems processing millions of financial transactions makes it susceptible to cyber invasion. 

Bleaker still: financial services data breaches are on the rise. All financial services consumers, breach victims or not, should follow sound information practices.