Skip to content

Security Public Statement — Capital One (2019)

Public breach disclosure and customer notification; illustrates same-day press release style aligned with SEC filing and law enforcement context.

Purpose

This document prepares a formal external statement framework for 2019, balancing accuracy, legal sensitivity, and audience trust. It helps communications, legal, and security teams present consistent facts, remediation posture, and next steps without overstatement or omission.

Hallucinated writing examples

Scenario: In an illustrative period following the 2019 Capital One cloud breach and related enforcement and litigation tracks (time), the Security Director (role) prepares a security public statement (type) for leadership stakeholders (audience).

PRESS RELEASE — FOR IMMEDIATE RELEASE

Subject: Capital One Announces Data Security Incident; Law Enforcement Notified
Date: July 29, 2019
Contact: [Media relations]

Capital One Financial Corporation (NYSE: COF) announced today that it has identified unauthorized access by an external actor to certain customer data stored in the Company's cloud infrastructure. The Company promptly fixed the vulnerability, notified federal law enforcement, and is cooperating with the investigation. An individual has been arrested in connection with the incident.

On July 19, 2019, the Company learned of the incident through a responsible disclosure from a security researcher. The access involved data stored in infrastructure hosted on Amazon Web Services (AWS). The vulnerability has been secured and forensic evidence has been preserved for law enforcement and our investigation. The Company is not aware of any use or dissemination of the information for fraud; the investigation is ongoing.

The incident affects approximately 100 million individuals in the United States and approximately 6 million in Canada. Information involved includes data provided in connection with credit card and other consumer product applications, including names, addresses, dates of birth, and income. For a subset of individuals, Social Security numbers or bank account numbers were also accessed. Credit card account numbers and log-in credentials were not compromised. The Company has no evidence that the information has been used for fraud or disseminated.

The Company has remediated the vulnerability, strengthened controls, and is notifying affected individuals. Free credit monitoring and identity protection services are being offered to affected customers. A dedicated webpage and phone line have been established for customer inquiries. We take our responsibility to protect customer information seriously and apologize for any concern this may cause.

Affected customers are encouraged to enroll in the offered credit monitoring, to monitor account and credit activity, and to be alert to phishing. The Company will not request full Social Security numbers or passwords by email or phone. For more information: [URL]. The Company is committed to protecting customer information and meeting its legal and regulatory obligations.

Document-type guide: Security Public Statement Draft

Writing tips: Writing best practices — Security Public Statement

© 2026 Yi Zhang. Licensed under the MIT License.
Last updated: 2026 April 17 9:37 AM