Capital One hack suspect may have breached more than 30 organizations
Federal prosecutors say the suspect charged in a massive data breach at Capital One may have hacked more than 30 other organizations.
Paige A. Thompson, a 33-year-old former Amazon employee from Seattle, was arrested last month after the FBI said she obtained personal information from more than 100 million Capital One credit applications. There is no evidence the data was sold or distributed to others.
In a memorandum filed ahead of a detention hearing, rescheduled from Thursday to Aug. 22, the U.S. Attorney’s Office in Seattle said servers found in Thompson’s bedroom contained data stolen from more than 30 unnamed companies, educational institutions and other entities.
Prosecutors said much of that data did not appear to contain personal identifying information. Investigators are still working to identify the affected organizations. Thompson’s attorney did not immediately respond to an email seeking comment Wednesday.
Behind the Capital One hack
Thompson started hacking into corporate databases as early as March this year, according to a complaint filed by the Justice Department. That same month she allegedly accessed customer files at Capital One, which uses Amazon’s “cloud” storage products.
According to the complaint, Thompson downloaded millions of files for Capital One customers, mostly relating to credit card applications. The hacker is accused of compromising names, phone numbers and addresses, as well as 120,000 Social security numbers and 77,000 bank account numbers.
The hacker in June began posting some of the stolen Capital One files on GitHub, the online community used by web developers to share programming code, according to federal prosecutors. She also allegedly posted information on the hack under her online handle “erratic” on her Twitter account and in a group chat on the messaging platform Slack. Shortly after, a person flagged the messages mid-June to Capital One, which notified the FBI.
The Capital One breach comes on the heels of a report that credit reporting agency Equifax may have to pay up to $700 million over a 2017 data breach. That breach involved the Social Security numbers and home addresses of nearly 148 million Americans. According to the Justice Department, computer fraud is punishable by up to five years in prison and a $250,000 fine.