×
Arrests in two evade police incidents on the weekendWintery weather with snow and possible freezing rain on the wayPrince Albert Police investigate weekend death

Capital One Data Breach

By Vanese M. Ferguson Jul 30, 2019 | 6:00 AM

As many as six-million Canadians may have had their personal information accessed in a data breach at Capital One.

The Social Insurance Numbers of approximately one million Canadians were compromised in a hack of Capital One.

The bank says the hacker got information including credit scores and balances of more than 100-million Americans as well.

A Seattle woman, Paige A. Thompson has been charged with a single count of computer fraud and abuse.

From Capital One to its customers:

Date: July 29, 2019

On July 19, 2019, we determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for our credit card products and to Capital One credit card customers.

We immediately fixed the configuration vulnerability that this individual exploited and promptly began working with United States federal law enforcement.

The FBI has arrested the person responsible.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard D. Fairbank, Founder, Chairman and CEO. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”
Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.

Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada. The largest category of information was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and income.

Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:

Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information
Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018

No log-in credentials were compromised.

No bank account numbers or Social Security numbers were compromised, other than:

About 140,000 Social Security numbers of our small business credit card customers
About 80,000 linked bank account numbers of our secured credit card customers

For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.

We will notify affected individuals through a variety of channels. We will make free credit monitoring and identity theft insurance available to everyone affected.

Safeguarding our applicants and customers’ information is essential to our mission and our role as a financial institution. We have invested heavily in cybersecurity and will continue to do so. We will incorporate the learnings from this incident to further strengthen our cyber defenses.

The investigation is ongoing and analysis is subject to change. As we learn more, we will update this website and provide additional information.

Q&A
1) What happened?
On July 19, 2019, we determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for our credit card products and to Capital One credit card customers.

We immediately fixed the configuration vulnerability that this individual exploited and promptly began working with United States federal law enforcement. The FBI has arrested the person responsible. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.

2) How did you discover the incident?
Like many companies, we have a responsible disclosure program which provides an avenue for ethical security researchers to report vulnerabilities directly to us. The configuration vulnerability was reported to us by an external security researcher through our Responsible Disclosure Program on July 17, 2019. We then began our own internal investigation, leading to the July 19, 2019, discovery of the incident.

3) When did this occur?
On July 19, 2019, we determined there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for credit card products and Capital One credit card customers. This occurred on March 22 and 23, 2019.

4) Has my information been accessed?
We will notify affected individuals through a variety of ways. We will make free credit monitoring and identity theft protection available to everyone affected.

Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.

We are also encouraging customers to enroll in account alerts to help them keep track of activity on their accounts. Customers can sign in to online banking and set up text or email alerts, based on their preferences.

We also encourage customers to monitor their credit card accounts for unusual or suspicious activity that they do not recognize, and to call the phone number on the back of their Capital One card or on their statement as soon as possible, if they see unusual activity.

We do not call customers asking for personal information and customers should be mindful of the possibility of phishing emails and calls due to this incident. Tips on how to spot fraudulent emails / messages are on the Capital One website at https://www.capitalone.ca/help/fraud-protection/

Phishing is an attempt to acquire personal information, sometimes to compromise online banking accounts by posing as a legitimate company in an electronic communication. These emails are not from Capital One. If you believe you have received a fraudulent email that claims to be from Capital One:

Do not reply to the email.
Do not click on any of the links embedded in the email.
Forward the email to abuse@capitalone.com.
After forwarding the email to Capital One for investigation, delete it.
Be sure to monitor your account and call us if you notice any unusual activity.

5) Who is responsible for this cyber incident?
The FBI has arrested the person responsible for this cyber incident. Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual.

6) Does this incident impact customers from your other businesses?
This incident primarily impacted people who have applied for one of our credit card products. Our Auto Finance, Commercial Bank, and customers from our UK card businesses were not impacted.

7) What is Capital One doing to protect me after this incident? How can I sign up for credit monitoring / identity theft insurance services?
We have sophisticated fraud systems in place that constantly monitor our systems and cyber defenses to detect any unusual activity and protect our customers from unauthorized actions.

We will notify affected individuals through a variety of channels. Free credit monitoring and identity theft insurance will be made available to everyone impacted.

Customers are encouraged to enroll in account alerts to help them keep track of activity on their accounts. Customers can sign in to Online Banking and set up text or email alerts, based on their preferences.

Additionally, we encourage customers to monitor their accounts for unusual or suspicious activity and, if they notice any activity that they do not recognize, to call the number on the back of their Capital One card or on their statement as soon as possible.

8) Was the data encrypted or tokenized?
We encrypt our data as a standard. In addition, it is our practice to tokenize select sensitive data fields, most notably Social Insurance Numbers and credit card account numbers. Tokenization involves the substitution of the sensitive field with a cryptographically generated replacement. The method and keys to unlock the tokenized fields are different from those used to encrypt the data.

Due to the particular circumstances of this incident, the unauthorized access also enabled the decrypting of the data.

9) I think I received a scam email related to Capital One’s cyber incident. What do I need to do?
Customers should be mindful of phishing emails due to this incident. Tips on how to spot fraudulent emails / messages are on the Capital One website at https://www.capitalone.ca/help/fraud-protection/

10) I received a call from Capital One related to this cyber incident asking for my information. What should I do?
Capital One is not calling customers regarding the cyber incident and is not asking for credit card or account information, or Social Insurance Numbers over the phone or via email.

If you have provided personal information over the phone or clicked on links in a fraudulent email, follow these additional steps:

Call us immediately to report that your account information may have been compromised.
Sign in to Capital One Online Banking and change your password.
Check your accounts for suspicious activity.
Update and run anti-virus software on your computer.

11) Are there any additional steps that I can take to protect myself against fraud and identity theft?
You can order a copy of your credit report from both the credit bureaus in Canada Equifax Canada and TransUnion Canada. Each credit bureau may have different information about how you have used credit in the past.

Once you receive your reports, review them for suspicious activity, such as inquiries from companies you did not contact, accounts you did not open, and debts on your accounts that you did not authorize.
Verify the accuracy of your Social Insurance Number, address(es), complete name and employer(s).
Notify the credit bureaus if any information is incorrect in order to have it corrected or deleted.

You can order a copy of your report by mail, fax or by telephone:

Make your request in writing using the forms provided by Equifax and TransUnion
Call the credit bureau and follow the instructions
Equifax Canada
Tel: 1-800-465-7166
TransUnion Canada
Tel: 1-800-663-9980 (except Quebec)
Tel: 1-877-713-3393 (Quebec residents)

For more information on credit monitoring and requesting your report, please visit the Financial Consumer of Agency of Canada’s resource on the topic : https://www.canada.ca/en/financial-consumer-agency/services/credit-reports-score/order-credit-report.html

Additionally, you can request both credit bureaus in Canada – Equifax and TransUnion, to place a fraud alert on your credit report. The alerts on both bureaus stays for 6 years

You can place a fraud alert on your TransUnion® credit account by completing this form. You can submit the completed form and ID photocopies by mail or fax. You can also call TransUnion at 1-800-663-9980 .
To place a fraud alert on your Equifax® credit account, please call Equifax at 1-800-465-7166 .

12) How may I contact Capital One?
We’ll continue to update this site with developments as new information becomes available. If you’d like to speak with an agent, call 1-833-727-1234.

Saskatoon Weather

Studio/Text Line

306-938-0600

Toll Free Line

800-667-3727

ON AIR NOW:
Prime Cuts (Your 90s At Noon)
12:00 PM - 1:00 PM

Have Your Say

Do you believe the Major Projects initiative will diversify Canada's economy to the point it lessens our reliance on the United States?
Yes
No
Voting Ends: Dec 9, 2025 | 10:01 AM

Download our CJWW in the Field App