Capital One hacker may have hacked more than 30 other companies, claim prosecutors
Paige Thompson could face up to five years in prison if found guilty
The hacker accused of stealing the personal information of 106 million customers of Capital One could have hacked as many as 30 other organisations.
That's according to a court document filed by prosecutors in Seattle, Washington State this week, which shines a light on ex-Amazon engineer Paige Thompson's alleged crimes.
In the filing, officials claim that their investigation has "revealed that Thompson's theft of Capital One's data was only one part of her criminal conduct".
After seizing servers from Thompson's bedroom, they not only discovered data stolen from Capital One but also "multiple terabytes of data stolen by Thompson from more than 30 other companies, educational institutions, and other entities".
While not revealing specific details, they claim that the "data varies significantly in both type and amount". The prosecution document continues: "Much of the data appears not to be data containing personal identifying information.
"At this point, however, the government is continuing to work to identify specific entities from which data was stolen, as well as the type of data stolen from each entity."
Given that Thompson is believed to have stolen data from other organisations, she will likely face additional charges "based upon each such theft of data, as the victims are identified and notified".
However, based on Thompson's statement and the ongoing investigation, she apparently didn't sell, share or disseminate any of the data she stole.
"The government is continuing its investigation, which will take a significant amount of time and resources, given the immense amount of forensic evidence to review," added the officials.
"To date, however, the government has not uncovered any evidence that would suggest Thompson's statement that she neither sold, nor otherwise disseminated, any of the data beyond the servers that the government recovered is untrue."
Paige, who worked as a software engineer at Amazon Web Services (AWS) in 2015 and 2016, was arrested last month in connection with the Capital One data breach. She could face a five-year prison sentence and a fine of up to $250,000.
She is accused of stealing data that includes 140,000 US Social Security numbers, one million Canadian Social Insurance numbers and bank account details of 80,000 American customers.
Amazon has been quick to point out that the Capital One compromise was not caused by security shortcomings at AWS, especially with the company coming under scrutiny of a US House of Representatives committee at the beginning of the month.