Here's Everything You Need to Know About the Capital One Data Breach

If you have a Capital One card or applied for one in the past, then you need to know about the company's data breach.

It's every consumer's nightmare to find out that their sensitive personal information was compromised. Unfortunately, if you've gotten a Capital One credit card in the past or even just filled out an application that the card issuer denied, your information could be at risk.

Capital One recently announced that a hacker gained unauthorized access to the personal information of many of its credit card customers and applicants. The data breach exposed sensitive information for over 100 million people, making it one of the largest breaches of all time.

Just how worried should you be? Here are all the current details on what happened, what types of information were stolen, and how you can guard your identity.

How the breach occurred

The criminal complaint related to the breach alleges that a woman named Paige Thompson hacked into computers belonging to Capital One. She had been a software engineer for Amazon Web Services, which is a cloud hosting company that serves as data storage for several major companies, including Capital One.

Thompson allegedly exploited a misconfigured web application firewall, and that allowed her to break into Capital One's server. From there, she was able to access accounts and credit card applications. She would go on to post the information on software development platform, GitHub, describe the method she used on the chat service Slack, and even brag on social media about having Capital One's information.

According to Capital One, the breach occurred on March 22 and 23, 2019. The credit card company found out about it on July 17, when it received notification from someone who saw the information on GitHub.

What was exposed?

Capital One estimates that the breach affected approximately 100 million U.S. consumers and 6 million Canadian consumers.

Most of the stolen information came from credit card applications submitted by consumers and small businesses between 2005 and 2019. This includes:

• Names
• Addresses
• Email addresses
• Phone numbers
• Dates of birth
• Self-reported income

The hacker was also able to get portions of customer data, such as credit scores, credit limits, payment history, balances, and fragments of transaction information for a total of 23 days spanning the years 2016, 2017, and 2018.

The most sensitive leaked information was:

• Approximately 140,000 Social Security numbers for credit card customers
• Approximately 80,000 linked bank account numbers for customers with secured credit cards
• Approximately 1 million Social Insurance Numbers for Canadian credit card customers

Capital One plans to notify all customers with a leaked Social Security number, bank account number, or Social Insurance Number. It will notify U.S. customers by mail and Canadian customers by email or mail.

Fortunately, there were no compromised credit card numbers or login credentials.

How to protect yourself going forward

Capital One has said it believes that "it is unlikely that the information was used for fraud or disseminated." Personally, I'm not convinced.

Given the circumstances, you may want to take steps to guard yourself against fraud and identity theft. Depending on how secure you want to be, there are three ways to do this.

Credit monitoring

The most basic and least intrusive option is credit monitoring, which is a good idea for everyone, even those who haven't been the victim of any data breaches.

When you sign up for a credit monitoring service, it alerts you to any changes on your credit file, such as new accounts. Many credit monitoring services have a fee, but there are also free services available, and some credit cards include complimentary credit monitoring for cardholders.

Capital One has said that there is free credit monitoring and identity protection available to everyone affected by the breach. It's unclear if the credit card company is referring to its free CreditWise service, which was already available to all its cardholders, or if it will provide a complimentary premium service.

Fraud alerts

You can set up fraud alerts free of charge with each of the three credit reporting agencies (Equifax, Experian, and TransUnion). When any third party checks your credit report, they'll see the fraud alert and need to take more thorough steps to verify your identity before opening any sort of new account in your name.

For example, you could include a phone number with your fraud alert, and then a credit card company would need to call you at that number before opening a new card for you.

Fraud alerts last for one year, but you can renew them. Victims of identity theft or fraud have the option of an extended fraud alert that lasts for seven years.

A credit freeze

If you want to put your credit on total lockdown, then you can freeze it. Like fraud alerts, credit freezes are free, and you need to set them up with each credit reporting agency.

When your credit is frozen, no one can access your credit report, which also prohibits anyone from opening an account in your name.

Although freezing your credit works very well from a security perspective, it can also be a little inconvenient, as you'll need to unfreeze your credit if you ever want to open an account yourself or allow a third party to perform a credit check on you.

Staying safe after the latest data breach

The Capital One data breach resulted in quite a lot of leaked information, but on a positive note, no one had their credit card information stolen, and less than 1% of the victims had their Social Security numbers or banking information stolen.

The best thing to do now, if you aren't doing it already, is to monitor your credit and watch for any communications from Capital One in the mail. If you want to be even safer, you could also either set up fraud alerts or freeze your credit reports with each credit bureau.