New Allegations: Capital One Suspect Stole From 30+ Organizations

The woman allegedly responsible for the massive breach of customer data at Capital One stole data from 30 other organizations, according to new information from prosecutors.

In a new court filing, they alleged that Paige Thompson stole terabytes of information from enterprises, educational institutions and other organizations, although she claims not to have sold or distributed any of it to others.

The information is being revealed as part of efforts by prosecutors to persuade the judge to deny bail.

It alleges that Thompson has a history of threatening behavior, including threats to kill others and herself. She is also said to have harassed a couple for seven years, forcing them to obtain a protection order.

Investigators found the new information on data breaches on servers in Thompson’s bedroom.

“That data varies significantly in both type and amount. For example, much of the data appears not to be data containing personal identifying information,” the court filing explained.

“At this point, however, the government is continuing to work to identify specific entities from which data was stolen, as well as the type of data stolen from each entity. The government expects to add an additional charge against Thompson based upon each such theft of data, as the victims are identified and notified.”

It’s claimed that the Capital One breach affected over 100 million American and Canadian customers and applicants, including consumers and small businesses.

The trove included 140,000 Social Security numbers, 80,000 linked bank account numbers and one million Canadian Social Insurance numbers.

Although Thompson most recently held a position as software engineer with Amazon Web Services, the cloud provider reportedly said that the breach of its client Capital One was not the result of any insider knowledge. It is said to have been made possible by a misconfigured web application run by the bank on AWS infrastructure.

A detention hearing at a federal court in Seattle is set for August 22.

What’s Hot on Infosecurity Magazine?