Montreal-based clients of Capital One are still struggling to figure out if they are affected by a massive data breach, with some saying getting through to the company for answers has been difficult.

Vanessa Torres said she’s trying to determine if her Costco credit card was compromised by the breach, which affected 100 million people in the United States and another six million in Canada.

“It’s scary to just know that they’re not handling our information as they should,” she said. “I mean, you hear about these breaches all the time, you think they would be stepping up their game.”

The breach saw several types of information compromised, including birth dates, addresses, phone numbers but also possibly credit scores, payment history, some transaction histories and one million Social Insurance Numbers.

Torres said she’s tried reaching out to Capital One, which issues the Costco card as well as Hudson’s Bay cards, but was placed on hold for 45 minutes.

“No emails, no phone calls, no nothing,” she said. “I went to the mailbox again this morning and again, not a word.”

According to the company, it’s not year clear if any of the leaked information has been sold or fraudulently used. Montreal lawyer Jeff Orenstein has launched a class action lawsuit against Capital One’s Canadian division on behalf of a Quebec customer, arguing the bank failed to adequately protect its clients and waited too long to notify them.

“Capital One credit card holders had their personal and private information compromised in an incident that occurred on March 22 and 23, 2019, but we only found out about this breach on July 29,” he said.

Thus far, 400 Canadians have signed up for the class action suit.

Cybersecurity expert Mourad Debbabi said companies need to put up more barriers to potential hackers.

“Through each door, you need a new attack so the probability to get, let’s say 10 new attacks is extremely low, so this is about bringing the likelihood down,” he said, adding that big banks risk losing millions of customers if they don’t prioritise protecting personal information.

“Companies need to be much more serious,” he added. “They need to invest in proper security technologies, they need to train their personnel.”