Javascript is not enabled.

Javascript must be enabled to use this site. Please enable Javascript in your browser and try again.

Skip to content
Content starts here


Leaving Website

You are now leaving and going to a website that is not operated by AARP. A different privacy policy and terms of service will apply.

6 Steps Consumers Should Take After Capital One Mega-Hacking

Latest data breach hits an estimated 106 million consumers

spinner image Capital One Bank logo
Bloomberg / Getty Images

After a just-revealed hacking hit about 106 million customers of credit-card giant Capital One, experts are urging consumers to take six steps to protect themselves from identity thieves.

“The No. 1 thing consumers should do to protect their identities is to freeze their credit” by contacting each of the three major credit bureaus: Equifax, Experian and TransUnion, says Ted Rossman, an industry analyst for

spinner image Image Alt Attribute

AARP Membership— $12 for your first year when you sign up for Automatic Renewal

Get instant access to members-only products and hundreds of discounts, a free second membership, and a subscription to AARP the Magazine.

Join Now

His firm, based in Austin, Texas, is an online marketplace that lets consumers compare credit cards and get news and advice about them.

Freezing your credit is “free, quick and easy,” Rossman says. “You can do it online or over the phone. This is the best way to prevent a criminal from opening an unauthorized account in your name.”

According to Rossman, only about 1 in 4 adults in the U.S. have frozen their credit.

More tips from him and others:

  • Change your passwords regularly.
  • Consider using a password aggregator such as LastPass to ensure strong, unique passwords for all your logins. Its basic service is free; its premium service costs $3 per month. According to Rossman, more than 8 in 10 adults in the U.S. reuse the same password, which he calls a “major security vulnerability.”
  • Obtain your credit reports from Equifax, Experian and TransUnion, and monitor them for suspicious activity.
  • Regularly scrutinize statements for your credit cards and other accounts for signs of unauthorized activity.
  • Consider signing up for 24/7 credit monitoring so you can learn immediately if someone tries to open an account in your name.

Like others concerned about cyberfraud, Rossman says the frequency of gigantic data breaches — affecting firms such as Equifax, Marriott International, Target and Home Depot — means people need to assume their personal data already has been compromised. “This [breach] surely won’t be the last, so take defensive actions now,” he urges.

At WalletHub, a free credit-score website, CEO Odysseas Papadimitriou agrees that most consumers’ personal information probably already has been stolen — at least once.

Capital One says so far it has found:

  • Approximately 100 million people in the U.S. and 6 million in Canada had their data compromised.
  • The largest category of stolen data involved information supplied by consumers and small businesses when they applied for credit cards from 2005 to early 2019.
  • That information includes names, addresses, phone numbers, email addresses, dates of birth and self-reported income.
  • About 140,000 U.S. Social Security numbers were hacked, along with about 1 million of the Canadian equivalent, known as Social Insurance Numbers.
  • About 80,000 linked bank accounts belonging to credit card customers also were accessed.
  • Beyond the credit card application data, information such as credit scores and limits, balances, payment history and contact information also was seized, as well as fragments of transaction data from a total of 23 days during 2016, 2017 and 2018.

Consider the findings of the Privacy Rights Clearinghouse, a San Diego-based consumer protection group, which says that 9,002 data breaches have been reported in the U.S. since 2005 and that altogether nearly 11.6 billion records have been breached. One of the major breaches was at Equifax, which last week reached an agreement with the Federal Trade Commission to pay as much as $700 million after a 2017 cyberattack compromised the data of 147 million people in the U.S.

“Recent Capital One credit-card applicants should certainly be more worried than usual, and especially vigilant, following the company’s data breach,” he adds.

More words of wisdom: Use two-factor authentication to confirm your identity when signing onto financial websites. Importantly, never respond to unsolicited phone calls and emails requesting your personal information.

See more Health & Wellness offers >

The Capital One Financial Corp., a bank holding company that also offers bank accounts, auto loans and other services, disclosed Monday that it learned July 19 that personal information relating to its credit card customers and card applicants had been stolen.

It said it fixed a vulnerability in its computer system and began working with the FBI, which has arrested a suspect.

Capital One, in a statement on its website, says it will notify affected consumers in a variety of ways and make free credit monitoring and identity protection available to them.

“While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened,” said Richard D. Fairbank, chairman and CEO of Capital One, headquartered in McLean, Virginia, a Washington suburb. “I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.”

The hacking was blamed on Paige A. Thompson, 33, a Seattle-area woman who goes by the online alias of “erratic.”

Thompson, a former software engineer for a Seattle tech company, was charged in federal court on Monday. She is in custody and is slated to reappear in court in Seattle on Thursday.

FBI agents executed a search warrant at her residence Monday and seized electronic storage devices with copies of the filched data, the Department of Justice says. The hacking occurred over roughly four months ending on July 17, it says.

Thompson made statements on social media saying she had obtained the Capitol One data and “recognizes that she has acted illegally,” according to a criminal complaint charging her with computer fraud and abuse. She faces up to five years in prison and a $250,000 fine.

Discover AARP Members Only Access

Join AARP to Continue

Already a Member?