The Capital One data breach is believed to have exposed the personally identifiable information of more than 100 million customers in both the U.S. and Canada. But a new court filing claims the alleged hacker behind the breach, Paige Thompson, may have stolen data from more than 30 other organisations.
A memorandum filed Wednesday ahead of a detention hearing alleged that “multiple terabytes of data” were stolen by Thompson from dozens of organisations, some of which may have also included personally identifiable information. The filing states the specific types of data and the various organisations that were breached are still being investigated.
“The evidence recovered from Thompson’s residence suggests that Thompson intruded into servers operated, rented, or contracted by over 30 companies, educational institutions, and other entities,” the filing claims. “Although not all of those intrusions involved the theft of personal identifying information, it appears likely that a number of the intrusions did.”
The filing states that Thompson “represented that she neither sold, nor otherwise shared or disseminated any of the data that she stole (from Capital One or any other victim),” and that the government does not have reason to believe at this time that those claims are false.
Prosecutors say that Thompson is both a flight risk as well as a “danger to the community,” citing a “long history of threatening behaviour that includes repeated threats to kill others, to kill herself, and to commit suicide by cop.” They further cited an incident in which Thompson allegedly contacted an acquaintance at a California tech company and threatened to “shoot up” the campus.
The claims were earlier surfaced in court documents related to the detention of Thompson’s 66-year-old roommate Park Quan, who was found to be in possession of a massive arsenal of weapons and ammunition despite prior felony convictions. This week’s filing claimed that “given Thompson’s recurrent threats to commit violence against herself and others,” her ability to access the weapons in Quan’s bedroom “is obviously of concern.”
Attorneys for Thompson did not immediately return a request for comment.
Capital One announced the data breach, one of the largest in history, on July 29. In addition to compromised PII from credit card applications — including phone numbers, email and home addresses, full names, and dates of birth — the company said that 140,000 Social Security numbers and 80,000 linked bank accounts, among other data, were also exposed.
Thompson was charged with one count of computer fraud and abuse in connection to the Capital One breach. However, with respect to additional breaches, prosecutors said the government is prepared to add “an additional charge against Thompson based upon each such theft of data, as the victims are identified and notified.” Thompson’s detention hearing is scheduled for Aug. 23.