Photo : Drew Angerer ( Getty Images

Capital One has already started the notification process for its most recent data breach—affecting approximately 100 million people in the U.S. and an additional six million in Canada (for now). If you happened to catch the company’s announcement about the issue, though, it sure sounded like everything is fine and great.


At least, I felt like I was on a financial roller coaster when I read Capital One’s press release and saw alternating lines like these:

“Based on our analysis to date, we believe it is unlikely that the information was used for fraud or disseminated by this individual. However, we will continue to investigate.”


“Based on our analysis to date, this event affected approximately 100 million individuals in the United States and approximately 6 million in Canada.”



“Importantly, no credit card account numbers or log-in credentials were compromised and over 99 percent of Social Security numbers were not compromised.




“No bank account numbers or Social Security numbers were compromised, other than:




About 140,000 Social Security numbers of our credit card customers

About 80,000 linked bank account numbers of our secured credit card customers”

Rightly so, Capital one is being ridiculed online for this almost nonchalant way of saying that hundreds of thousands of customers are seriously affected by this breach.





What do you take away from something like this? First, always read the fine print. It’s in a company’s best interests to downplay these kinds of breaches as much as possible, because it’s going to cost them money and make them look foolish, at best, and not very secure.


What sounds fine if you just read the first paragraph or so, or even skim through the announcement, actually doesn’t end up being all that fine. At least, I don’t think coughing up 140,000 social security numbers and 80,000 bank account numbers is a good thing, and I’m sure those affected will agree with me.


Second, be skeptical. Capital One says that around 106 million people were “affected,” but buries the type of information that was potentially accessed later in its press release—a chunk of text you might not notice if you were just skimming.



“The largest category of information accessed was information on consumers and small businesses as of the time they applied for one of our credit card products from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Beyond the credit card application data, the individual also obtained portions of credit card customer data, including:

Customer status data, e.g., credit scores, credit limits, balances, payment history, contact information

Fragments of transaction data from a total of 23 days during 2016, 2017 and 2018"


That doesn’t sound too bad, right? There’s not much you can do if your email address or birthday is out in the wild, and it’s more annoying than problematic if your credit score or payment history got leaked. Still, an attacker could theoretically use this information standalone—or cross-referenced against other information they might have from one of the many other security breaches your data is likely a part of—to create a fictitious profile of you and apply for other financial services using your information, which could pose problematic.

Also, it’s worth keeping in mind that we’re just at the very initial stages of learning about this breach. Tempted as you might be to ignore Capital One’s problem, since it didn’t sound that serious for most people, you should keep it in the back of your mind for the next few months.


Third, if you’re affected in any way—and Capital One should notify you about this, so make sure you’re watching your email closely just in case—you’re going to want to make sure you take Capital One up on its free credit monitoring offer. You might even already have free credit monitoring as a result of the aforementioned Equifax breach, but it never hurts to have as many services as possible looking out for illegitimate use of your data. If you want to get a head start, companies like Credit Karma are more than happy to give you free credit monitoring, and it’s possible that your credit card company might also have some kind of free credit-monitoring service. You can also freeze your account with Equifax, Experian, and TransUnion.


Fourth, you’ll also want to make sure you’re staying safe about any follow-ups to the Capital One hack. If someone calls you on the phone asking you to “verify” account information because they’re from Capital One and they need to make sure you’re safe, or some line like that, tell them off. As CNBC notes, “Capital One is not calling customers to ask for credit card or account information or Social Security numbers over the phone or via email.”


If someone calls you on the phone asking you to “verify” account information because they’re from Capital One and they need to make sure you’re safe, or some line like that, tell them off. ﻿

Similarly, if you get a suspicious-sounding email allegedly from Capital One, or Capital One representative, asking you to provide them information that they should theoretically already have, resist the urge. In fact, you could even call up Capital One yourself to verify if the request is legitimate before you click on any links or send any replies. The last thing you want to do is to survive the Capital One breach unscathed, but cough up critical information to a phishing attempt.


Finally, stay vigilant. I realize that responding to these kinds of things can be exasperating, especially if you’re mad enough that you’re going to transfer your money to a new bank. Even if you’re going through the standard process of changing your passwords when confronted with a breach at a company you use, I sympathize. Having to do all this gets annoying, but you can’t let your guard down. Keep on enabling two-factor authentication. Keep on checking your account for instances of misuse, either financially or log-ins that weren’t you. Set up a Google alert for Capital One so you don’t miss any critical follow-ups about the breach. Breathe. You’ve got this.