The data breach at Capital One may be the “tip of the iceberg” and may affect other major companies, according to security researchers.
Israeli security firm CyberInt said Vodafone, Ford, Michigan State University and the Ohio Department of Transportation may have also fallen victim to the same data breach that saw over 106 million credit applications and files stolen from a cloud server run by Capital One by an alleged hacker, Paige Thompson, a Seattle resident, who was taken into FBI custody earlier this week.
Reports from Forbes and security reporter Brian Krebs indicating that Capital One may not have been the only company affected, pointing to “one of the world’s biggest telecom providers, an Ohio government body, and a major U.S. university,” according to Slack messages sent by the alleged hacker.
Krebs posted a screenshot of a list of files purportedly stolen by the alleged hacker. The stolen data contained filenames including car maker “Ford” and Italian financial services company “Unicredit.”
The Justice Department said Thompson may face additional charges — suggesting other companies may have been involved.
We reached out to several of those named by CyberInt with mixed results. Only the Ohio Department of Transportation confirmed it had data stolen, and was working with the FBI. “At this point, however, we can confirm that the information in the referenced file contained only publicly available data and no private information was stored there,” said spokesperson Erica Hawkins.
Ford spokesperson Monique Brentley told TechCrunch that it’s “investigating the situation to determine if Ford information is involved.”
Meanwhile, Vodafone spokesperson Adam Liversage said the telecom giant was “not aware” of its data stolen in the Capital One breach.
And a spokesperson for Michigan State University said it receives “hundreds of threats and attacks on our system” and said it was “hard to know if one recently was the alleged hacker from the Capital One situation.”
“Our teams are looking into but at this point we have no information to share,” said spokesperson Emily Guerrant.
The hack of Capital One is the most significant data breach this year. Data was stolen from an Amazon Web Services-based storage bucket, which included more than 140,000 Social Security numbers and over a million Canadian Social Insurance numbers, as well as other personal information.
Capital One said it learned of the breach through a third-party who reportedly saw the alleged hacker’s claims and boasts about the thefts.
Security researcher John Wethington told TechCrunch that that based on public information — including the Slack channel the alleged hacker was a member — likely other companies had data stolen.
“Based on the information gathered from publicly available information on the alleged hackers Github and Gitlab accounts as well as public information from the Slack channel it’s clear that organizations including Ford, Vodafone and others are possible victims of what appears to be a massive sensitive data hacking spree,” he said.
As of the time of writing, Thompson faces five years in prison and a fine of up to $250,000.