Published May 16, 2025 
read
Capital One data breach settlement 2025: what you need to know
After the Capital One data breach in 2019, millions of affected customers took part in a class action lawsuit. In 2022, a $190 million class action settlement was reached. Eligible customers were offered cash reimbursement, as well as identity defense and restoration services.
This article will explore how the cybersecurity incident played out and discuss the Capital One Bank settlement details. We will also highlight the importance of safeguarding your personal and financial information and knowing how to protect yourself in the event of a banking data breach.
Capital One data breach settlement 2025 disclaimer: Non-monetary compensation is available through 2028. Please note that monetary compensation is now closed, and the deadline to file your claim has passed.
Background: The Capital One data breach
What happened in 2019?
On March 22 and 23, 2019, Capital One suffered a data breach that affected over 100 million individuals, including 98 million U.S. customers and about 6 million customers from Canada. The server Capital One was using, operated by Amazon Web Services, was breached by a software engineer who had previously worked for the cloud hosting company. The perpetrator boasted online about stealing the data and was quickly captured by the Federal Bureau of Investigation (FBI).
Who was affected?
The breach exposed the personal information of American and Canadian customers, including individuals and small businesses, who applied for Capital One credit card products between 2005 and 2019.
What data was exposed?
The customers’ personal and financial information was compromised during the breach, including:
- Names
- Street addresses
- Zip codes
- Phone numbers
- DOBs
- Income provided by customers
- Credit scores and limits
- Balances and payment history
- 140,000 SSNs
- 80,000 bank account numbers of credit card customers
- 1 million Canadian Social Insurance Numbers
What is the Capital One settlement about?
Overview of the class action lawsuit
A class action lawsuit was filed in the U.S. District Court for the Eastern District of Virginia, before turning into multi-district litigation. The lawsuit accused Capital One of internal negligence and failure to take reasonable cybersecurity measures to protect the customers’ personal information. Plaintiffs also cited delayed breach notifications, as Capital One publicly came forward about the breach a few days after discovering the incident.
Capital One’s response and settlement terms
I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right.
After the incident, the bank cooperated with federal law enforcement and conducted a thorough internal investigation. They claim to have fixed the firewall configuration issue immediately and introduced extensive cybersecurity upgrades.
Here are the Capital One bank settlement details:
- Cash reimbursement for documented financial losses and time spent dealing with the breach.
- Non-monetary compensation, including identity protection and restoration services free of charge until February 13, 2028.
Total payout and fund breakdown
Capital One set up a $190 million settlement fund to compensate the affected customers.
- Out-of-pocket expenses compensation (up to $25,000) was provided to affected customers who were able to present proof of unauthorized charges or fraud-related bills.
- General compensation (ranging from $50 to $250) was offered to customers who didn’t suffer major financial losses.
- Lost time compensation ($25 per hour for a maximum of 15 hours).
Who was entitled to payments?
Only Capital One customers who were directly affected by the 2019 data breach were eligible for settlement payments. To qualify, individuals had to meet all of the following criteria:
- Received a formal notice from Capital One stating that their information was exposed in the 2019 data breach.
- Had their personal information compromised during the breach.
- Submitted a valid claim form before the deadline.
- Provided proof of financial losses or expenses related to the breach, such as fraud charges, identity theft costs, or time spent resolving issues
Those who met these requirements could receive reimbursement or identity protection services, depending on their claim type.
Time period of breach coverage
Here is a breakdown of the Capital One settlement payment timeline:
| Milestone | Date |
|---|---|
| Settlement finalized | September 13, 2022 |
| Claim submission deadline | September 30, 2022 |
| First payment | September 28, 2023 |
| Second payment | September 4, 2024 |
| Identity protection services expiration | February 13, 2028 |
Can you still be eligible for monetary compensation?
All monetary compensation windows have now closed. Capital One has confirmed that the settlement is final, and the deadline to file claims or request reissued payments has passed. This means you are no longer eligible to receive any financial compensation from the settlement, even if your information was exposed.
If you received a check and haven’t deposited it, please be aware that uncashed checks are now void. Attempting to cash or deposit one may result in it being returned as unpaid, potentially leading to bank fees.
What benefits are still available for the Capital One data breach settlement 2025?
At this stage, the only active benefits available to settlement class members are identity defense and restoration services. Both are offered free of charge and will remain available until 2028.
| Benefit | Status | Details |
|---|---|---|
| Financial compensation | Closed | No new claims or payments will be processed. |
| Identity defense services | Open | Free dark web monitoring, identity monitoring with authentication alerts, lost wallet protection, security freeze help, and $1M identity theft insurance through Pango. |
| Restoration services | Open | Free fraud resolution support from a U.S.-based specialist (e.g., placing fraud alerts, disputing inaccurate credit info, scheduling calls with creditors and other service providers), as well as law enforcement and government agencies support. |
Who can enroll in identity defense services?
Eligibility criteria
To enroll for identity defense and restoration services, you must fulfill the following Capital One bank settlement 2025 eligibility criteria:
- Have been a part of the original breach class
- Received a breach notification from Capital One
How to activate your protection
All services are provided through Pango. You can enroll at any point while the service is active (until February 13, 2028), regardless of whether you submitted a claim for monetary compensation.
To activate your protection, call Pango at 505-896-7416 or enroll online at the official Identity Defense site.
Why it matters: protecting yourself long-term
Unfortunately, no organization, no matter how large, is entirely immune to data breaches. And when a breach happens once, it can happen again. Capital One is a case in point: the company is now facing a new class action lawsuit stemming from another very similar breach that occurred between 2022 and 2023.
According to the lawsuit, a former Capital One employee gained access to the company’s poorly secured systems, exposing the personally identifiable information of thousands of the corporation’s customers. This second breach highlights the ongoing risks consumers face.
What the Capital One data breach incidents reveal about data risks
Capital One and similar breaches highlight the ongoing dangers of exposed personal information and how easily that data can be exploited. Once compromised, your information doesn’t just disappear. It can resurface on the dark web at any time. Bad actors may combine it with your personal details available in public records and people-search sites, and build a full identity profile. This creates ongoing risk for affected individuals, including account takeovers, credit card and tax fraud, synthetic identity theft, and more. Even years after a breach, your data may still be in circulation, and still highly valuable to bad actors.
How to track and protect your personal information after a data breach
To safeguard yourself, it’s important to minimize your online exposure and keep a close eye on your finances. Here are some steps you can take after a data breach:
- Set up credit activity alerts to track all changes in your credit report, such as new accounts opened, balance changes, or changes in your credit limit.
- Monitor the dark web for stolen information.
- Set up fraud alerts with the major credit bureaus to add an extra layer of protection and prevent bad actors from getting credit in your name.
- Monitor the public web for any personal details and remove your exposed information whenever possible. Also, proactively limit what you share on social media and the internet.
How Onerep helps you monitor people-search sites and keeps your information away from public searches
Removing your details from people-search sites cuts off anyone’s access (bad actors included) to your publicly available personal data. Onerep offers a free scan of 200+ people-search sites to check where your information is listed. Then, the service sends opt-out requests on your behalf to get the information taken down. The process is automated and repeated regularly to make sure your data isn’t republished after some time, and stays hidden from Google and other search engines.
FAQs
What is the Capital One settlement amount?
The Capital One settlement fund was set at $190 million. Eligible customers received up to $25,000 for proven financial losses, or between $50 and $250 for minor financial losses, along with $25 per hour for up to 15 hours of lost time dealing with the breach.
How do I know if I’m eligible for the Capital One settlement payments 2025?
Even if you fulfill the eligibility criteria, you can’t receive a Capital One settlement payment in 2025. The claim-filing period and financial compensation period are both closed.
What’s the deadline to file my claim?
Eligible customers were welcome to submit a claim for monetary compensation by September 30, 2022. You can still access identity defense and restoration services free of charge until February 13, 2028.
Will I get cash, credit monitoring, or both?
In 2025, the only active benefits include identity defense and restoration services. Whenever you activate these services, they will expire on February 13, 2028.
Mikalai is a Chief Technical Officer at Onerep. With a degree in Computer Science, he headed the developer team that automated the previously manual process of removing personal information from data brokers, making Onerep the industry’s first fully automated tool to bulk-remove unauthorized profiles from the internet.