100 million Capital One credit card applications hacked: What you need to know

What happened, who’s affected, and what comes next

Credit: IDG

You can reset the “Days Since Hack” counter back to zero.

On Monday night, Capital One revealed that more than 100 million customers had their personal information hacked, including credit scores, credit limits, balances, payment history, and contact information, as well as 140,000 Social Security numbers and 80,000 linked bank account numbers of secured credit card customers.

Here’s what happened and what you can do to protect yourself:

How did the hack occur?

Capital One has divulged that there was “unauthorized access by an outside individual” who was able to obtain “certain types of personal information” relating to credit card applicants. It blamed the hack on a “configuration vulnerability” in its infrastructure that was hacked by a “highly sophisticated” attack. Capital One says that the vulnerability wasn’t cloud-based and “the elements of infrastructure involved are common to both cloud and on-premises data center environments.”

When did the hack occur?

Between March 22 and 23, 2019. It was originally reported to Capital One on July 17, 2019.

How was hack discovered?

The hack was found by an external security researcher through Capital One’s Responsible Disclosure Program. Capital One was able to verify the hack two days after it was reported, on July 19.

Has the flaw been fixed?

Capital One says it “immediately fixed the configuration vulnerability” and has been working with the FBI. That cooperation has led to one arrest, Seattle resident Paige A. Thompson, 33, who faces charges of computer fraud.

How many customers are affected?

According to Capital One’s analysis to date, the hack affected approximately 100 million individuals in the United States and approximately 6 million in Canada.

What data was stolen?

Capital One reports that the hack mostly pertained to information on consumers and small businesses as of the time they applied for one of the company’s credit cards from 2005 through early 2019. This information included personal information Capital One routinely collects at the time it receives credit card applications, including names, addresses, zip codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income. Additionally, “fragments of transaction data” from a total of 23 days during 2016, 2017 and 2018 has also been compromised.

Are Social Security numbers part of the stolen data?

About 140,000 U.S. Social Security numbers and a million Canadian Social Insurance Numbers were compromised in this incident.

What about credit card numbers?

So far, no Capital One credit card numbers were stolen as part of this attack, but about 80,000 linked bank account numbers for U.S. customers were.

Shouldn’t such sensitive data have been encrypted?

It was, according to Capital One. However, “due to the particular circumstances of this incident,” the company says that the hacker was also able to decrypt the stolen data. Most Social Security numbers and account

Are the numbers of affected customers accurate?

For now, but if history is an indicator, the numbers reported by Capital One are probably low. The company will continue to investigate both internally and with the FBI to pinpoint how far-reaching this hack was.

What did the hacker do with the data?

The investigation is ongoing, but Capital One says “it is unlikely that the information was used for fraud or disseminated by this individual.”

How do I know if my data is part of the hack?

Capital One hasn’t set up a website to check yet, but the company says it “will notify affected individuals through a variety of channels.”

Is Capital One offering any compensation to affected customers?

The company says it will make free credit monitoring and identity protection available to everyone affected.

Should I change my Capital One password?

It can’t hurt, but there’s no indication here that the hack involved user accounts or passwords.

Should I cancel my Capital One credit card?

That’s certainly an option, but that probably won’t protect you in this instance. The stolen data was related to applications, not user account, so even if you closed the account, your data is still at risk.

How can I protect myself against a hack like this in the future?

There isn’t a whole lot you can do to prevent a hack of data that is stored on a financial institution’s server, but you can take steps to mitigate any issues. While Capital One says none of the data stolen was used to open fraudulent accounts, by staying on top of your credit, you can stop potential headaches before they grow too big. Any of the major credit card agencies let you order free reports ever 12 months, or you can subscribe to monitor your day-to-day credit. By staying on top of new accounts that seem fishy, you can shut them down before they wreak havoc on your finances.

For a more comprehensive list of steps to take, check out PCWorld’s guide to what to do after a data breach.

Join the newsletter!


Sign up to gain exclusive access to email subscriptions, event invitations, competitions, giveaways, and much more.

Membership is free, and your security and privacy remain protected. View our privacy policy before signing up.

Error: Please check your email address.
Keep up with the latest tech news, reviews and previews by subscribing to the Good Gear Guide newsletter.
Michael Simon

Michael Simon

PC World (US online)
Show Comments

Most Popular Reviews

Latest Articles


PCW Evaluation Team

Tom Pope

Dynabook Portégé X30L-G

Ultimately this laptop has achieved everything I would hope for in a laptop for work, while fitting that into a form factor and weight that is remarkable.

Tom Sellers


This smart laptop was enjoyable to use and great to work on – creating content was super simple.

Lolita Wang


It really doesn’t get more “gaming laptop” than this.

Jack Jeffries


As the Maserati or BMW of laptops, it would fit perfectly in the hands of a professional needing firepower under the hood, sophistication and class on the surface, and gaming prowess (sports mode if you will) in between.

Taylor Carr


The MSI PS63 is an amazing laptop and I would definitely consider buying one in the future.

Christopher Low

Brother RJ-4230B

This small mobile printer is exactly what I need for invoicing and other jobs such as sending fellow tradesman details or step-by-step instructions that I can easily print off from my phone or the Web.

Featured Content

Don’t have an account? Sign up here

Don't have an account? Sign up now

Forgot password?