Capital One Data Breach: 5 Steps to Avoid Identity Theft, Fraud

Just as consumers are starting to claim their share of the settlement for the 2017 Equifax data breach, Capital One has announced that the personal information of about 100 million Americans and 6 million Canadians was exposed in a hack that took place last March. Software engineer Paige Thompson has been charged with exploiting a vulnerability in Capital One’s network and gaining access to information on people as of the time they applied for a Capital One credit card, dating back to 2005. The data includes names, birth dates, mailing addresses, zip codes, e-mail addresses, phone numbers and self-reported income.

Although Capital One says that credit-card numbers and online log-in credentials were not compromised, the exposure did include details such as credit scores, credit limits, balances and payment history. Plus, the Social Security numbers of about 140,000 credit-card customers and about 80,000 linked bank-account numbers of customers with secured credit cards were breached.

Capital One says that it will notify those affected “through a variety of channels” and that it will offer credit-monitoring and identity-protection services. But if you think that you’re likely a victim, you don’t have to wait to act. Take these steps now to protect your identity or to spot fraud quickly if it does happen.

Subscribe to Kiplinger’s Personal Finance

Be a smarter, better informed investor.

Save up to 74%

Sign up for Kiplinger’s Free E-Newsletters

Profit and prosper with the best of expert advice on investing, taxes, retirement, personal finance and more - straight to your e-mail.

Profit and prosper with the best of expert advice - straight to your e-mail.

Sign up

1. Beware Phishing Scams

Given that the breach involved e-mail addresses and phone numbers as well as names and other bits of info, crooks may target victims with e-mails, text messages or phone calls in attempts to collect money or personal data. A fraudster posing as a representative of a financial institution or government agency, for instance, may call you and mention your name, date of birth or other personal details to gain your trust, then ask you to recite your credit-card number or Social Security number to “confirm” it. “Never authenticate yourself to anyone who contacts you by e-mail or phone,” says Adam Levin, founder of identity-protection service CyberScout. If you’re not sure that a call or message is legitimate, look up the institution’s phone number and call it to see whether it truly contacted you. Don’t click on links or attachments in any e-mail or text message that look suspicious—they could lead you to a scam website or infect your device with malware.

Capital One is also warning customers to watch out for e-mails and calls from scammers claiming to be the bank. If you do receive a fraudulent e-mail, forward it to abuse@capitalone.com.

2. Sign Up for Transactional Alerts

Whether or not your bank-account information was exposed in the Capital One breach, it’s a good idea to receive e-mail or text-message alerts each time a new charge hits your bank account or credit card. Set up the notifications for the lowest transaction amount possible—crooks often test accounts with small charges before they rack up bigger ones. If you do see a charge that you don’t recognize, contact your bank or card issuer right away.

3. Practice Healthy Password Hygiene

Capital One has indicated that customers’ account passwords are safe. But based on other information gleaned about you through the breach or, say, from your social-media accounts, crooks may be able to figure out or change your passwords for various online accounts—especially if your password is obvious, such as your birth date or a pet’s name—and use the passwords in combination with your e-mail address to log in.

A password manager such as LastPass helps you create and store strong and unique passwords for each account you have. When possible, set up two-factor authentication for your online accounts. If there’s an attempt to log in to the account from a device that you’ve never used, for example, you may have to verify that it’s you by entering a code that you receive via text message.

4. Keep Tabs on Your Credit Reports

If you’re among those whose Social Security numbers were compromised, you may be at a higher risk for a criminal to open new credit cards or loans in your name. But anyone benefits from taking advantage of a credit-monitoring service, which sends you an alert each time a significant change—a new credit-card account, for example—pops up on your credit report.

While you wait you wait for Capital One to roll out its credit-monitoring service, check out other free options. CreditKarma.com monitors your TransUnion and Equifax credit reports, and FreeCreditScore.com covers your Experian report. If you’re affected by the Equifax data breach, you’re eligible to get four years of free monitoring of all three reports—but the service isn’t yet available.

You can also check your credit report from each agency free every 12 months at AnnualCreditReport.com. Pore over your reports for any accounts that you don’t recognize or other signs of fraud, such as a mailing address that isn’t yours (crooks may redirect your mail).

5. Freeze Your Credit Reports

A freeze is the best way to prevent criminals from opening new credit accounts in your name. Lenders can’t view your frozen credit report in response to a request for a new credit card or loan, so they’re unlikely to grant credit to someone pretending to be you. Check out our guide on how to freeze your credit.