Capital One hacker may have targeted dozens more

On the same day of the announcement, the Department of Justice disclosed the arrest of Paige Thompson, a former software engineer at Amazon, in connection with the breach. In its new complaint against Thompson, obtained by Compliance Week, the Department of Justice referred to the threat or harm caused by Thompson as being “massive.”

“The nature and circumstances of the offense with which Thompson is charged are tremendously serious,” the complaint states. “Thompson is charged with committing one of the largest cyber intrusions and data thefts in history.”

According to the complaint, filed Aug. 13, “the government’s investigation over the last two weeks has revealed that Thompson’s theft of Capital One’s data was only one part of her criminal conduct. The servers seized from Thompson’s bedroom during the search of Thompson’s residence include not only data stolen from Capital One, but also multiple terabytes of data stolen by Thompson from more than 30 other companies, educational institutions, and other entities.”

Specifically, Thompson, who used the codename “erratic,” posted messages on Slack that contained caches of hacked files. Among the companies and organizations mentioned include Vodafone, Ford, Infoblox, Michigan State University, and more.

Compliance Week reached out to some of the potentially victimized companies. “We take security very seriously,” said a Vodafone spokesperson. “Vodafone is not aware of any information that relates to the Capital One security breach.”

MSU said it is investigating the situation. “MSU is aware that that Ms. Thompson named our university as a place that she allegedly hacked, and we have been looking into any threats to our system,” said a University spokesperson. “At this point, however, we have no reason to believe our system was compromised. We continue to monitor the situation and cooperate with all law enforcement groups investigating this issue.”

Infoblox, too, said at this time it “has no evidence that any of its, or its customers’, information was compromised as a result of the suspected hacker’s activities.”

Cost implications

Although much of the data involved in the theft doesn’t appear to contain personally identifiable information, “it appears likely that a number of the intrusions did,” according to the complaint. “Moreover, even if it is true that the government recovered all of the stolen data, the impact of Thompson’s crime will be immense.”

Capital One alone, for example, faces 48 separate lawsuits and has estimated that it will incur $100 million to $150 million of additional costs in 2019 and will likely incur even higher costs before the consequences of Thompson’s actions are fully resolved. “Presumably, many of the other victims of Thompson’s intrusions and thefts also will incur substantial costs,” the complaint states.

The government also said it “expects to add an additional charge against Thompson based upon each such theft of data, as the victims are identified and notified.” As it is, Thompson faces up to five years in prison and a $250,000 fine.

At this time, the government said in court documents that it is “continuing to work to identify specific entities from which data was stolen, as well as the type of data stolen from each entity.”