Even if you’ve never had a Capital One account, a hacker might still have nabbed your private information in the data breach revealed this week: Applicants who were rejected were vulnerable too, the credit card company confirmed Tuesday.
The hack hit about 106 million consumers and small businesses, most of whom applied for credit cards from 2005 through early 2019, Capital One said, and about 140,000 Social Security numbers and 80,000 bank account numbers were compromised.
The company said stolen data also included names, addresses, phone numbers and dates of birth, as well as financial data such as credit scores, credit limits, balances, payment history and self-reported income.
Capital One said it plans to contact those affected and offer free credit monitoring and identity protection. But it’s unclear when that offer will start, and there are other ways people can protect themselves regardless of whether they were affected by this particular data breach.
Chi Chi Wu, staff attorney at National Consumer Law Center, said in a statement Tuesday that the most effective measure consumers can take to prevent someone from stealing their identity and opening new accounts is to freeze their credit reports except when they want to apply for credit.
A credit freeze is more effective than credit monitoring, Wu said. A credit monitoring service reviews credit reports and flags signs of fraudulent activity.
“Credit monitoring is like shutting the door after the horse has left the barn, whereas a credit freeze is a preventative measure,” Wu said.
Throughout the United States, consumers can freeze their credit reports free of charge by contacting each of the three credit reporting firms — Experian, Equifax and TransUnion — online or via mail.
Identity thieves have a harder time taking out credit in the name of a person whose credit is frozen because the freeze prevents the person’s credit file from being shared with potential creditors, and creditors want to see the file before approving a new account. According to California Atty. Gen. Xavier Becerra’s website, even someone who has your name and Social Security number would probably not be able to take out credit in your name if you have a freeze in place.
Most of the affected credit card applicants — about 100 million — are in the United States, while the other 6 million are in Canada, according to Capital One.
The company will notify affected individuals, a Capital One spokesperson said. As of Tuesday, people could not yet find out whether they were personally affected or file claims.
Capital One said the hacking took place in March and that the company became aware of it July 19.
The hacking suspect was arrested Monday.
It’s unclear whether the stolen data was misused. “Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual,” a Capital One spokesperson said in an email Tuesday. “However, we will continue to investigate.”
Capital One Financial Corp. shares slid 5.9% to $91.21 on Tuesday. They are still up more than 20% this year.
The Capital One hack is just the latest of the big data breaches plaguing people and companies. Last week, Equifax agreed to pay as much as $700 million to resolve government investigations into a 2017 hack that affected 147 million people.
Last week also featured a different kind of privacy settlement. Facebook was fined $5 billion by the Federal Trade Commission after the social media giant’s Cambridge Analytica scandal, in which the data-mining firm accessed as many as 87 million Facebook users’ personal information without their consent.