Skip to content

Customer Security Explanation (Capital One 2019)

Use this to explain a security topic or incident to customers in clear, non-technical language; supports notification obligations and trust.

Hallucinated writing examples

Scenario. On July 29, 2019, the same day the Company publicly discloses the breach and the FBI arrests the individual responsible (time), the Chief Information Security Officer (role) is asked to draft the formal customer notice (type) for affected customers (audience) that will be used for breach notification and the dedicated incident webpage. The notice must be accurate, aligned with the public statement and legal/compliance requirements, and written in plain language for affected customers in the United States and Canada. It will be reviewed by Legal and Communications before publication.

CUSTOMER NOTICE — DATA SECURITY INCIDENT

Date: July 29, 2019
Subject: Important information about a data security incident that may affect your personal information

What happened. On July 19, 2019, we learned that an unauthorized individual had obtained access to certain customer data stored in our cloud environment. We fixed the vulnerability promptly, preserved evidence, and reported the matter to federal law enforcement. On July 29, 2019, an individual was arrested in connection with this incident. We are cooperating fully with the investigation. We are notifying affected individuals and providing this information so you can take steps to protect yourself.

What information was involved. The information accessed included data you provided when you applied for our credit card products or other consumer products, such as your name, address, date of birth, and income. For a subset of individuals, Social Security numbers or bank account numbers were also accessed. The incident did not involve your credit card account numbers or your log-in credentials. We have no evidence that the information has been used for fraud or shared publicly. The incident affects approximately 100 million individuals in the United States and approximately 6 million in Canada.

What we are doing. We have fixed the vulnerability, strengthened our controls, and are notifying affected individuals. We are offering free credit monitoring and identity protection services to affected customers. We have established a dedicated webpage and phone line for your questions and will continue to update our response as we learn more. We take our responsibility to protect your information seriously and apologize for any concern this may cause.

What you can do. We encourage you to enroll in the free credit monitoring we are offering. Monitor your account statements and credit reports for any unauthorized activity. Be cautious of phishing attempts; we will not ask you for your full Social Security number or your account password by email or phone. For more information and to enroll in credit monitoring, visit [URL] or call [toll-free number]. Our FAQ is available at [URL]. Additional resources: [Link to FTC identity theft resources.] [Contact for questions.]

Official document (customer-facing breach communication)

Capital One’s July 29, 2019 public statement and customer notifications are the primary examples of how the company explained the breach to customers: what happened, what data was involved, what the company was doing, and what customers could do.

  • Capital One public statement (2019): Capital One Announces Data Security Incident — official announcement: incident summary, data types affected, steps taken, and customer actions (e.g., credit monitoring).
  • Settlement / consumer relief: Capital One Settlement — compensation and credit monitoring for affected individuals; shows how customer communication ties to legal and remediation commitments.
  • FTC / state notification: Breach notification laws (e.g., state laws, FTC) shape what must be disclosed and when; customer explanations must align with legal obligations.

Customer-facing explanations are public; the 2019 statement and settlement site show tone, structure, and level of detail used in practice.

Writing analysis

How customer security explanations are typically structured

  • What happened — Simple description of the event or topic.
  • What information was involved — Types of data (e.g., name, email) and whether exposed or not.
  • What we are doing — Steps taken to protect data and prevent recurrence.
  • What you can do — Practical steps (check statements, enable MFA, watch for phishing).
  • How to get help — Contact, FAQ, or support channel.
  • Additional resources — Links to credit monitoring, identity protection, or more detail.

What to emulate

  • Plain language; avoid jargon and legalese so customers can act.
  • Align with internal facts and legal/compliance requirements so the message is accurate and consistent across channels.
  • Clear “what you can do” and “how to get help” so customers have a path forward.

What to improve

  • Avoid minimizing impact or over-promising; stick to facts and committed actions.
  • Ensure one source of truth (e.g., one page or FAQ) so support and legal stay aligned.
Last updated: