In 2025, Capital One experienced a significant data breach due to a misconfigured web application firewall (WAF). Attackers exploited this vulnerability to steal AWS credentials and access 100 million customer records. The breach highlighted critical gaps in regular WAF rule audits, enforcement of multi-factor authentication for privileged accounts, and real-time API activity monitoring. Post-incident, Capital One implemented Lacework's AI-driven anomaly detection, reducing false positives by 70% and halving response times.

The Washington State Office of the Attorney General reported a data breach involving Capital One on May 26, 2023. The breach occurred on February 1, 2023, affecting 605 Washington residents and potentially compromising their names, Social Security Numbers, and financial information.

The Maine Office of the Attorney General reported a data breach involving Capital One on June 16, 2023. The breach occurred between August 11, 2022, and May 22, 2023, due to insider wrongdoing, impacting one Maine resident and affecting a total of 82 individuals. Personal information compromised included names, credit card numbers, Social Security numbers, and other financial details, and 24 months of free credit monitoring was offered to the affected individual.

On March 22, 2021, the Maine Attorney General's Office reported a data breach involving Capital One, National Association, which occurred on November 10, 2020. The breach potentially exposed financial account numbers and affected a total of 426 individuals, including 2 residents of Maine. Although there is no evidence of data being breached, customers are at risk of future fraud, prompting notification and the offering of identity theft protection services.

In April 2021, the Maine Office of the Attorney General disclosed an insider wrongdoing breach at Capital One, occurring between September 2, 2020, and February 25, 2021. The incident involved an internal actor who improperly accessed and potentially compromised sensitive personal information of at least one Maine resident, including credit card account numbers and Social Security numbers. Such data exposure poses significant risks, including identity theft, financial fraud, and long-term reputational harm to the affected individual. In response, Capital One provided 24 months of free credit monitoring via TransUnion’s myTrueIdentity service to mitigate potential damages. The breach highlights vulnerabilities in internal controls, emphasizing the critical need for robust insider threat detection and access governance to prevent unauthorized data handling by employees or contractors.

The Maine Office of the Attorney General reported that Capital One experienced a data breach involving unauthorized access by a former employee from May 15, 2020, to June 2, 2020. A total of 1,277 individuals were affected, including eight Maine residents whose personal information such as names, addresses, Social Security numbers, and account numbers may have been accessed. Capital One has provided these residents with written notification and offered two years of free credit monitoring through TransUnion.

Capital One, the Virginia-based bank with a popular credit card business, announced that a hacker had accessed about 100 million credit card applications. It was also found that thousands of Social Security and bank account numbers were also taken. The FBI has arrested a Seattle-area woman, Paige A. Thompson, on a charge of computer fraud and abuse, according to court records. The hack was expected to cost the company between $100 million and $150 million in the near term.

In 2019, Capital One suffered a massive data breach exposing the sensitive personal and financial information of 100 million customers, including Social Security numbers (SSNs), bank account details, credit scores, and transaction data. The breach stemmed from a misconfigured firewall in the bank’s cloud infrastructure, exploited by a hacker who gained unauthorized access. Beyond the immediate data exposure, the incident eroded public trust, triggered regulatory scrutiny, and led to a $425 million class-action settlement—one of the largest in U.S. banking history. The settlement addressed both the breach and allegations of deceptive marketing tied to the bank’s 360 Savings accounts, where customers claimed they received lower interest rates than advertised. The fallout included financial restitution ($300M in cash payments, $125M in interest adjustments), reputational damage, and heightened compliance demands. The breach underscored systemic vulnerabilities in financial institutions’ cybersecurity practices, particularly in securing cloud-based customer data.

The California Office of the Attorney General reported a data breach by Capital One involving unauthorized access to personal information on August 12, 2019. The breach occurred on March 22 and 23, 2019, affecting approximately 140,000 Social Security numbers and 80,000 linked bank account numbers, along with various personal details of individuals who applied for or were customers of Capital One's credit card products.

The California Attorney General reported a data breach involving Capital One on February 6, 2017. The breach involved unauthorized access to customer accounts using stolen usernames and passwords, potentially affecting personal information such as names, addresses, and account numbers. Specific details about the number of individuals affected and the exact date of the breach are unknown.

The California Office of the Attorney General reported a data breach involving Capital One Services, LLC on August 9, 2018. The breach occurred between January 27, 2017, and April 20, 2017, potentially affecting personal information of 586 California residents, including names, addresses, account numbers, telephone numbers, transaction history, dates of birth, and Social Security numbers.