Even if you’re not a Capital One customer, the bank’s recently announced data breach should motivate you to protect yourself from fraud.
The credit-card giant disclosed on Monday that about 100 million U.S. and 6 million Canadian consumers were impacted in a data breach that occurred in March. No credit-card account numbers or login credentials were compromised, according to the bank.
Rather, the bulk of the stolen data related to information collected from 2005 through early 2019 on credit-card applicants — both individuals and small businesses — at the time they applied.
A Capital One bank branch in New York.
Mark Kauzlarich | Bloomberg | Getty Images
That includes things such as names and addresses, dates of birth and self-reported incomes, along with phone numbers and email addresses. In other words, if you applied for a Capital One credit card during that time, your information could be at risk.
“To the extent the hacker got any of your personal information — that’s something to be concerned with,” said John Ulzheimer, a credit experts and president of the The Ulzheimer Group in Atlanta.
While Capital One said it’s unlikely the stolen data were used or sold, an internal investigation is ongoing. The FBI already has arrested a suspect: Paige Thompson, who was charged with computer fraud and abuse, according to court records.
The best way to hinder a fraudster’s efforts to use your data to get a loan or credit card from any bank is to freeze your credit report.
This action generally blocks outside access to your file. This means a scammer would struggle to use your personal information to open a financial account, because the potential lender would be unable to check your report to approve the application.
“It essentially stops the application process in its tracks and prevents the person from opening an account in your name,” Ulzheimer said.
Last September, a federal law went into effect that prohibits credit-reporting firms from charging consumers for a credit freeze (or to lift a freeze). However, you must alert the firms — Equifax, Experian and TransUnion are the biggest — to freeze your report at each of them. You can do it by phone or online at each company’s website.
You also can initiate a short-term fraud alert, which lasts one year. These alerts are different from freezes: Under a fraud alert, a lender seeking to approve an application must first contact you to verify the request is not from an imposter.
You only need to contact one credit reporting firm to initiate a fraud alert, which in turn is legally obligated to share your notice with others. It also is free.
Capital One said that for current customers, among the data stolen were about 140,000 Social Security numbers and roughly 80,000 bank account numbers of its customers who have secured credit cards.
It’s worthwhile taking steps to prevent anyone from accessing your bank account. In addition to using strong passwords, you should employ two-factor identification whenever possible. That means requiring two steps — i.e., entering a password and having a one-time code texted to you — to log onto your bank account (or any account).
Capital One’s breach disclosure comes about a week after Equifax announced a settlement with authorities over its 2017 data breach. In that instance, about 148 million consumers’ personal data were stolen, including names, birthdates and Social Security numbers.
“There have been so many [data breaches] that you need to assume your personal data has already been compromised,” said Ted Rossman, industry analyst at CreditCards.com.
“This surely won’t be the last, so take defensive actions now,” he said. “Freeze your credit, change your passwords and monitor your credit reports for anything that looks suspicious.”
Disclosure: NBCUniversal and Comcast Ventures are investors in Acorns.