2019 Capital One Cyber Incident | What Happened | Capital One
Information on the Capital One cyber incident
English | Español
Important updates
April 22, 2022 update:
2019 Cyber Incident Settlement Reached. On February 7, 2022, a U.S. federal court preliminarily approved a class action settlement relating to the cyber incident Capital One announced in July 2019. Please visit www.CapitalOneSettlement.com for additional details.
February 22, 2021 update:
On January 27, 2021, as a result of Capital One’s ongoing analysis of the files stolen by the unauthorized individual in the 2019 Cybersecurity Incident, we discovered approximately 4,700 U.S. credit card customers or applicants whose Social Security Numbers were among the data accessed, but not previously known. Capital One is directly notifying these affected individuals and will make two years of free credit monitoring and identity protection available at no cost to them.
What happened
On July 19, 2019, we determined that an outside individual gained unauthorized access and obtained certain types of personal information about Capital One credit card customers and individuals who had applied for our credit card products.
What we've done
We immediately fixed the issue and promptly began working with federal law enforcement. The outside individual who took the data was captured by the FBI. The government has stated they believe the data has been recovered and that there is no evidence the data was used for fraud or shared by this individual.
Safeguarding information is essential to our mission and our role as a financial institution. We have invested heavily in cybersecurity and will continue to do so. We have incorporated the learnings from this incident to further strengthen our cyber defenses.
RICHARD D. FAIRBANK, CHAIRMAN AND CEO
"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened...I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."
What's the impact
Based on our analysis, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.
Importantly, no credit card account numbers or log-in credentials were compromised and less than one percent of Social Security numbers were compromised. In addition, the outside individual who took the data was captured by the FBI. The government has stated they believe the data has been recovered and that there is no evidence the data was used for fraud or shared by this individual.
The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
Beyond the credit card application data, the individual obtained portions of credit card customer data, including:
Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information.
Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018.
This information has been shared on Capital One’s website, servicing portal, press release and 8K filing.
The individual also obtained the following data:
About 140,000 Social Security numbers of our credit card customers.
About 80,000 linked bank account numbers of our secured credit card customers.
We have notified these customers through the mail.
For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident. We have notified all Canadian customers affected.
For our Canadian credit card customers, please visit our website at www.capitalone.ca/facts2019.
English | Español
Important updates
April 22, 2022 update:
2019 Cyber Incident Settlement Reached. On February 7, 2022, a U.S. federal court preliminarily approved a class action settlement relating to the cyber incident Capital One announced in July 2019. Please visit www.CapitalOneSettlement.com for additional details.
February 22, 2021 update:
On January 27, 2021, as a result of Capital One’s ongoing analysis of the files stolen by the unauthorized individual in the 2019 Cybersecurity Incident, we discovered approximately 4,700 U.S. credit card customers or applicants whose Social Security Numbers were among the data accessed, but not previously known. Capital One is directly notifying these affected individuals and will make two years of free credit monitoring and identity protection available at no cost to them.
What happened
On July 19, 2019, we determined that an outside individual gained unauthorized access and obtained certain types of personal information about Capital One credit card customers and individuals who had applied for our credit card products.
What we've done
We immediately fixed the issue and promptly began working with federal law enforcement. The outside individual who took the data was captured by the FBI. The government has stated they believe the data has been recovered and that there is no evidence the data was used for fraud or shared by this individual.
Safeguarding information is essential to our mission and our role as a financial institution. We have invested heavily in cybersecurity and will continue to do so. We have incorporated the learnings from this incident to further strengthen our cyber defenses.
RICHARD D. FAIRBANK, CHAIRMAN AND CEO
"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened...I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."
What's the impact
Based on our analysis, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.
Importantly, no credit card account numbers or log-in credentials were compromised and less than one percent of Social Security numbers were compromised. In addition, the outside individual who took the data was captured by the FBI. The government has stated they believe the data has been recovered and that there is no evidence the data was used for fraud or shared by this individual.
The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income.
Beyond the credit card application data, the individual obtained portions of credit card customer data, including:
Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information.
Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018.
This information has been shared on Capital One’s website, servicing portal, press release and 8K filing.
The individual also obtained the following data:
About 140,000 Social Security numbers of our credit card customers.
About 80,000 linked bank account numbers of our secured credit card customers.
We have notified these customers through the mail.
For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident. We have notified all Canadian customers affected.
For our Canadian credit card customers, please visit our website at www.capitalone.ca/facts2019.
