Washington, D.C. – U.S. Senator Catherine Cortez Masto (D-Nev.) joined Senate Banking Committee Democrats, led by Senator Sherrod Brown (D-Ohio), in demanding that Capital One take action to protect the more than 100 million consumers impacted by the March 2019 data breach. The Senators lay out how Capital One has failed to take adequate steps to correct the many deficiencies leading to the breach.
“To date, we believe Capital One has not taken sufficient steps to make good on its commitment to protect consumers from further harm,” wrote the Senators. “These deficiencies mean that: (1) consumers do not know whether their personal information has been breached; and (2) Capital One may limit the number of consumers for whom it will have to provide free credit monitoring and identity protection services.
The Senators have requested the Capital One provide detailed answers by September 20, 2019.
A full copy of the letter can be found HERE and below:
Dear Mr. Fairbank:
We write to express our concern that Capital One has not taken sufficient action to protect the more than 100 million consumers who have been impacted by the recent data breach. We ask that you take steps to provide immediate protections to ensure that these consumers suffer no further harm.
On July 29, 2019, Capital One publicly disclosed a data breach affecting more than 100 million consumers in the United States. The breached data was primarily related to credit card applications from 2005 through 2019, and included consumers’ names, addresses, zip codes, phone numbers, email addresses, and dates of birth. The breached data also included Social Security numbers for 140,000 consumers and bank account information for 80,000 consumers with secured credit cards.
In response to the breach, Capital One has stated that it would provide “Free credit monitoring and identity protection . . . to everyone affected.” During a briefing on July 31, 2019, Capital One specifically told this Committee’s staff that it would provide free credit monitoring and identity protection to all Capital One customers who request it, regardless of whether they are part of the affected consumers.
To date, we believe Capital One has not taken sufficient steps to make good on its commitment to protect consumers from further harm. On August 22 and September 4, 2019, Committee staff called the 1-800-227-4825 customer service number listed on the Capital One webpage that provides information regarding the data breach. This telephone number is Capital One’s general customer service line, not a dedicated line for consumers to call about the data breach or to request free credit monitoring and identity protection. When Committee staff called that number, there was no dedicated numerical option (e.g., press 1) for inquiries about the data breach or to request free credit monitoring. Eventually, staff were able to reach a Capital One customer service representative by pressing “0.” Based on staff’s discussion with the Capital One customer service representative, Capital One is not clearly communicating with consumers about their eligibility for free credit monitoring and identity protection services. Nor does it appear that those services are yet available for consumers when they call in to request them.
As described above, it is clear that Capital One has not established an effective process for consumers to request free credit monitoring and identity protection services. The deficiencies in Capital One’s process include the following:
- Capital One has not established a dedicated telephone number for consumers to call to inquire about the data breach or to request free credit monitoring and identity protection;
- Capital One offers no easy way for consumers to request free credit monitoring. There is no numerical prompt (e.g., press 1 if you are calling about the data breach or to request free credit monitoring);
- There is no online option for consumers to request free credit monitoring and identity protection;
- Capital One does not clearly communicate with consumers who call in about eligibility for free credit monitoring and identity protection;
- There appear to be lengthy delays for affected or potentially affected consumers to receive the free credit monitoring and identity protection; and
- It appears that Capital One is not providing any kind of online notification of the breach to consumers through their online Capital One accounts.
These deficiencies mean that: (1) consumers do not know whether their personal information has been breached; and (2) Capital One may limit the number of consumers for whom it will have to provide free credit monitoring and identity protection services.
To provide clarification and additional information on Capital One’s process to assist its consumers, please answer the following questions and provide the Committee the requested information by September 20, 2019.
- Has Capital One identified any additional populations of affected or potentially affected consumers beyond what it has publicly disclosed? If so, state the number of such consumers and the types of breached data (e.g., Social Security number) for these consumers.
- Will Capital One provide a dedicated phone line for those affected by the breach?
- Please provide the date you sent a breach notification letter to the 140,000 consumers whose Social Security numbers were stolen and the 80,000 consumers whose bank account numbers were stolen.
- Please provide to the Committee a copy (template) of the letter you sent (or will be sending) to the above consumers.
- Please state whether Capital One will provide free credit monitoring and identity protection to all Capital One consumers who request it—regardless of whether the consumer is part of the population of affected or potentially affected consumers.
- As of the date of your response, how many consumers have requested free credit monitoring and identity protection? Please indicate the number of these consumers to whom Capital One has sent breach notification letters.
- Please state the begin date for when harmed or potentially harmed consumers can receive free credit monitoring and identity protection.
Thank you in advance for your response to our requests.