The data breach at Capital One may be the “tip of the iceberg” and may affect other major companies, according to security researchers.
Israeli security firm CyberInt said Vodafone, Ford, Michigan State University and the Ohio Department of Transportation may have also fallen victim to the same data breach that saw more than 106 million credit applications and files stolen from a cloud server run by Capital One by an alleged hacker, Paige Thompson, a Seattle resident, who was taken into FBI custody earlier this week.
It follows earlier reports from Forbes and security reporter Brian Krebs indicating that Capital One may not have been the only company affected, pointing to “one of the world’s biggest telecom providers, an Ohio government body, and a major U.S. university,” according to Slack messages sent by the alleged hacker.
The same messages were published in a CyberInt report published Wednesday. “Other victims may be inferred from filenames,” said the report, including Apperian, Infoblox and Wakoopa.
The Justice Department said Thompson may face additional charges — suggesting other companies may have been involved.
We reached out to several of those named by CyberInt with mixed results. Ohio’s Department of Transportation said it was working with the FBI to try to “determine what, if anything, was accessed,” said spokesperson Erica Hawkins. “At this point, however, we can confirm that the information in the referenced file contained only publicly available data and no private information was stored there,” she said.
Ford spokesperson Monique Brentley told TechCrunch that it’s “investigating the situation to determine if Ford information is involved.”
Meanwhile, Vodafone spokesperson Adam Liversage said the telecom giant was “not aware” of its data stolen in the Capital One breach.
And a spokesperson for Michigan State University said it receives “hundreds of threats and attacks on our system” and said it was “hard to know if one recently was the alleged hacker from the Capital One situation.”
“Our teams are looking into but at this point we have no information to share,” said spokesperson Emily Guerrant.
Amazon told TechCrunch: “At this point, we do not have proof that the perpetrator in the Capital One incident found similar application flaws in a few other customers. We’ve reached out to the customers mentioned in online forums by the perpetrator to help them assess their own logs for any evidence of an issue.”
The hack of Capital One is the most significant data breach this year. Data was taken from an Amazon Web Services (AWS) storage bucket, which included more than 140,000 Social Security numbers and over a million Canadian Social Insurance numbers, as well as other personal information.
A spokesperson for Amazon said AWS was not itself compromised.
Capital One said it learned of the breach through a third-party who reportedly saw the alleged hacker’s claims and boasts about the thefts.
Security researcher John Wethington told TechCrunch that based on public information — including the Slack channel of which the alleged hacker was a member — likely other companies had data stolen.
“Based on the information gathered from publicly available information on the alleged hackers GitHub and GitLab accounts, as well as public information from the Slack channel, it’s clear that organizations including Ford, Vodafone and others are possible victims of what appears to be a massive sensitive data hacking spree,” he said.
As of the time of writing, Thompson faces five years in prison and a fine of up to $250,000.