Save and Invest

5 things you should do immediately if you suspect you were affected by the Capital One data breach

Bloomberg | Getty Images

Capital One announced a massive data breach on Monday, July 29, reporting that a hacker accessed the information of over 100 million Americans and 6 million Canadians who have applied for credit cards since 2005.

The company says the applications the hacker accessed were from 2005 through early 2019 and contained consumers' personal information including names, addresses, zip codes, email addresses, phone numbers and dates of birth.

Beyond the credit card application information, Capital One says the hacker also obtained "portions" of credit card customer data such as credit scores, credit limits, payment history and bits of transaction data. Bank numbers and Social Security numbers were compromised for roughly 140,0000 U.S. credit card customers and about 80,000 secured credit card customers who had their linked bank account numbers accessed.

Capital One says it has already fixed the vulnerability in its system and will continue to investigate. Paige Thompson, the hacker responsible for the breach, was arrested by the FBI and made her initial court appearance on Monday, according to the Justice Department.

While the hacker has been apprehended, there are still a few steps experts recommend taking if you think you may have been affected.

1. Change your passwords

Capital One will be notifying affected consumers through "a variety of channels," the company said Monday. It's probably easier to wait until you're contacted, rather than calling or emailing the company to find out if you were impacted.

In the meantime, it's a good idea to change any passwords associated with your Capital One bank or credit card accounts. In fact, you should be doing this regularly, says industry analyst Ted Rossman.

"Use a password aggregator such as LastPass to ensure strong, unique passwords for all of your logins," Rossman recommends. More than 80% of U.S. adults reuse passwords, which is a major security vulnerability, he says.

2. Set up credit monitoring

Capital One says it plans to offer free credit monitoring and identity protection to affected customers. But that may take some time to organize, so it might be best to set up your own. You can do it yourself by pulling your annual free credit reports, one each from Equifax, Experian and Transunion.

You can also set up a free monitoring service through sites like Credit Karma, which will send you alert emails about any recent activity on your TransUnion or Equifax credit reports.

In addition to the Capital One monitoring, you may also be eligible for up to 10 years of free credit monitoring if you were affected by the massive 2017 Equifax data breach. The credit bureau entered a $700 million settlement last week and has opened a claims process.

Although Capital One says "it is unlikely that the information was used for fraud or disseminated," it never hurts to have some monitoring in place.

3. Freeze your credit

Freezing your credit report "is the best way to prevent a criminal from opening an unauthorized account in your name," Rossman says, adding that only about one in four U.S. adults have frozen their credit — despite major data breaches like Equifax in 2017 and Marriott in 2018.

If you want to freeze your credit reports and haven't already done so, you need to contact the three major credit bureaus, Equifax, Experian and TransUnion, separately. Keep in mind that you will need to unfreeze your credit if you're applying for any credit products in the future, like a personal loan, credit card or mortgage.

While a credit freeze will stop anyone from taking out a credit card or loan in your name, it's not a comprehensive solution, experts say.

"A credit freeze is not going to stop the bigger problems," says cyber-security expert Joseph Steinberg. "A credit freeze doesn't do much for identity theft. Everybody comes [to these breaches] with the assumption that there's something to do, and the reality is, sometimes, there isn't anything a consumer needs to do."

The biggest threat is not that a criminal could open a credit card in your name and make fraudulent transactions; that could be fixed quickly since credit card companies know about the problem, he says. "If someone got a driver's license in your name, that's a lot more of a serious problem for you," Steinberg says.

4. Make a record of your response

Last year, there were 1,244 data breaches reported, according to the Identity Theft Resource Center. While that's less than the number reported in 2017, the number of hacked consumer records that exposed sensitive information increased.

And each one of those hacks could lead to class-action lawsuits and  investigations by regulators, like in the case of Equifax. While not all data breaches will result in a settlement, it's good to be prepared. Going forward, Charity Lacey, VP of communications at ITRC, tells CNBC Make It that it's important for consumers to take breach notifications seriously and document what they do in response.

The Identity Theft Center's ID Theft Help app has a case log manager tool that can help you track any actions you take in response to a breach.

5. Stay alert

Ultimately, all consumers need to be vigilant about suspicious activity regardless of whether they were impacted by this most recent data breach. "The best an individual can do is keep an eye open for scammers contacting them," says independent computer security analyst Graham Cluley.

That includes fake emails or phone calls from criminals posing as Capital One. The financial company said Monday that Capital One is not calling or emailing customers to ask for information such as credit card, account information or Social Security numbers.

Like this story? Subscribe to CNBC Make It on YouTube!

Don't miss:

This former FBI agent shares her best tips to avoid scams
This former FBI agent shares her best tips to avoid scams