Capital One: Another data breach response misses the mark

American consumers are getting very familiar with data breaches. Between Equifax, Target, Marriott, and others, they have heard every conceivable response tactic from companies that want to minimize damage and move forward.

Continue Reading Below

Cut to Capital One, the latest company forced to take this walk of shame, who on Tuesday announced that their customer database had been hacked 10 days prior, with over 100 million customers affected.

TickerSecurityLastChangeChange %
TGTTARGET CORP.113.68+0.87+0.77%

Capital One has an uncommon advantage for a company in crisis: the opportunity to learn from a large set of high profile, recent case studies. Their Press Release, however, shows that while they have avoided some common mistakes, they have plenty of room to improve.

Apologize Before you Explain:

One of the most important things for a company to do in a crisis is to take responsibility for the situation and validate the audience’s concerns. With lawyers, finance, and PR all competing for control of the message, that is often a difficult task. Capital One’s CEO, Richard Fairbank, makes an effort in this area by delivering a personal apology:

 “I am deeply sorry for what has happened. I sincerely apologize for the understandable worry this incident must be causing those affected and I am committed to making it right."

- Capital One CEO Richard Fairbank

The language of the apology is effective, and the fact that it comes directly from the CEO makes it even stronger. But it is buried in the middle of the press release; by the time the reader reaches this apology, they have already learned that Capital One waited 10 days to announce the attack and that the FBI arrested the suspect.

In the first public response following a crisis, you have one chance to immediately answer the audience’s core question of “should I be worried”. By opening with details on the criminal investigation rather than assurance and empathy, Capital One has answered that question: Yes.

Don’t Nitpick the Numbers

The most baffling part of Capital One’s response comes as they attempt to minimize the severity of the attack.

No bank account numbers or Social Security numbers were compromised, other than:

  • About 140,000 Social Security numbers of our credit card customers
  • About 80,000 linked bank account numbers of our secured credit card customers

For our Canadian credit card customers, approximately 1 million Social Insurance Numbers were compromised in this incident.

That’s right: absolutely no social security numbers were lost… except for 140 thousand. And over a million if you count Canada.


Humans are notoriously bad at grasping large numbers. Consider if Capital One had lost triple the amount of US social security numbers as it reports: would 420 thousand make the situation feel different from the reported 140 thousand? How about 10 million? Most likely not. For the average consumer, the difference between 100 thousand and 1 Million doesn’t matter – the only difference that maters is between 0 and “me”.

While Capital One’s response succeeds in taking ownership of the issue and detailing the precise actions they will be taking to make it right, it falls short by burying the apology and focusing on unimportant numbers. Hopefully, Capital One can let their actions speak as they work to survey the damage and help the affected customers.

Lee Carter is president of maslansky + partners and oversees a diverse range of communication and language strategy work for Fortune 100 and 500 companies, trade associations, and non-profits in the U.S. and globally. A communication research veteran, Lee has conducted and analyzed more than one thousand instant response dial sessions, traditional focus groups and client strategy sessions. Lee has also written and overseen hundreds of language surveys and polls in more than 15 countries.