Crisis Review: Capital One Data Breach

By Michelle Wang

Executive Summary

A+ crisis response from Capital One. By taking the initiative to publish a statement about the case before anyone else could break the news, Capital One was able to prevent the spread of misinformation as well as mitigate damage to their reputation. A company that admits their mistakes is more likely to be seen in a positive light, as it comes across as a sincere move to alert stakeholders about an incident that has occurred. If you respond only after a news outlet has run the story (as seen in the case of Volkswagen’s Dieselgate) it might come across as a failed attempt to hide the incident.

What happened

On 29 July 2019, PR Newswire published a news release from Capital One announcing that on 19 July 2019, it had determined...

“there was unauthorized access by an outside individual who obtained certain types of personal information relating to people who had applied for its credit card products and to Capital One credit card customers."

According to the news release, the data breach involves data from more than 100 million US citizens and 6 million Canadian residents. Those affected by the breach are said to be people who applied for a credit card from the US bank between 2005 through 2019, and the news release states that the data includes roughly 140,000 US Social Security numbers, 80,000 linked bank account numbers, and 1 million Canadian Social Insurance Numbers.

Capital One adds that “no credit card account numbers or log-in credentials were compromised” and that more than 99% of the Social Security numbers that Capital One has on file weren’t affected. However, the breach includes data that can be obtained from credit card applications, such as names, addresses, ZIP codes, phone numbers, email addresses, and birth dates.

The news release outlines how Capital One was alerted to a vulnerability in their infrastructure on 17 July 2019, which led to an internal investigation that led to the discovery of the incident on 19 July 2019. Capital One’s news release confirms that they “immediately addressed the configuration vulnerability and verified there are no other instances in our environment” and promptly began working with federal law enforcement.

Both Capital One’s news release and the US Justice Department’s press release confirms that the person responsible has been arrested and taken into custody.

"While I am grateful that the perpetrator has been caught, I am deeply sorry for what has happened," said Richard D. Fairbank, Chairman and CEO. "I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."

The verdict

A+ response from Capital One. By taking the initiative to publish a statement about the case before anyone else could break the news, Capital One was able to prevent the spread of misinformation as well as mitigate damage to their reputation.

The statement contains information that an external stakeholder would need to understand the situation: all the facts known about the incident, the steps Capital One took to address the breach and their cooperation with relevant authorities, and further actions that Capital One would undertake to assist those affected.

They showed clear empathy for those affected by the breach with a statement from Chairman and CEO Richard D. Fairbank, stating that they will be notifying the individuals “through a variety of channels” and will provide free credit monitoring and identity protection to the affected individuals.

They then reiterated their commitment to safeguarding their customers’ information, stating that Capital One will “incorporate the learnings from this incident to further strengthen our cyber defences,” and that they will continue to invest heavily in cybersecurity.

Capital One also created websites for both US and Canadian users to provide more information on the incident, what they were doing to respond, and a brief note that additional information will be updated on the websites as investigations unfold. The end of their news release also includes a section that aims to answer certain questions about the incident, such as the source of the incident and how it was discovered. Capital One’s news release follows our suggested crisis response model and Coombs’ situational crisis communication theory (2014):

1. Explain the facts (what we know)

2. Explain what we don’t know yet

3. Explain what we’re doing to fix it

4. Explain what the customer can do (e.g. where to get more information or on-going updates)

It’s clear from the news release and the release timing that Capital One is dedicated to resolving this incident and assisting those affected, and the clarity of the information provided as well as the simple wording used to convey the information further supports this.