Federal prosecutors say a woman charged in a massive data breach at Capital One may have hacked more than 30 other organizations.
Paige Thompson, of Seattle, was arrested last month after the FBI said she obtained personal information from more than 100 million Capital One credit applications. There is no evidence the data was sold or distributed to others.
In a memorandum filed ahead of a court hearing Thursday, the U.S. Attorney’s Office in Seattle said servers found in Thompson’s bedroom contained data stolen from more than 30 unnamed companies, educational institutions and other entities.
Prosecutors said much of that data did not appear to contain personal identifying information. Investigators are still working to identify the affected organizations.
“The government expects to add an additional charge against Thompson based upon each such theft of data, as the victims are identified and notified,” prosecutors said.
Capital One data breach: What’s the cost of data hacks for customers and businesses?
Who is Paige Thompson? Seattle suspect charged in Capital One breach
Prosecutors didn’t name the other companies thought to have been targeted by the hacker, but Israeli security firm CyberInt told TechCrunch the list including British telecom firm Vodafone, carmaker Ford, Michigan State University and the Ohio Department of Transportation.
Thompson’s attorney did not immediately respond to an email seeking comment Wednesday.
The initial hack was allegedly performed by a former Amazon employee who was able to tap into information stored on Amazon Web Services and included personal information, including more than 140,000 Social Security numbers and over a million Canadian Social Insurance numbers. The information was gleaned from credit card applications.
Thompson has a bail hearing set for Aug. 22, and prosecutors have requested the court to deny bail. “Thompson has a long history of threatening behavior that includes repeated threats to kill others, to kill herself, and to commit suicide,” prosecutors said.
Before the new hack was made public, Thompson was looking at a potential five years in prison and a fine of up to $250,000.
“The evidence that Thompson committed this crime is overwhelming,” said prosecutors in their filing. “It includes forensic evidence linking Thompson to the data theft, which resulted in this Court’s issuance of a warrant to search Thompson’s residence. It includes the fact that the government recovered data stolen from Capital One on a server recovered from Thompson’s bedroom. And, it includes the fact that Thompson admitted to agents on the morning of the search that she had committed this intrusion.”
Prosecutors came to the realization that it wasn’t just Capital One that got hacked, but also multiple terabytes of data stolen by Thompson from more than 30 other companies, educational institutions, and other entities, prosecutors said. “At this point…the government is continuing to work to identify specific entities from which data was stolen, as well as the type of data stolen from each entity. The government expects to add an additional charge against Thompson based upon each such theft of data, as the victims are identified and notified.”
Time to unplug for good? Why quitting tech is harder than quitting cigarettes
Beyond the hack, prosecutors also said they found an “arsenal” of weapons at the apartment Thompson shared with a convicted felon that also included ammunition and explosive material.
Thompson’s hack has “caused hundreds of millions of dollars of damage,” prosecutors said. Capital One had pegged the cost of the hack as between $100 million to $150 million.