Capital One's data breach may be "the tip of the iceberg" and could affect other large companies, according to security researchers.
Israeli security company CyberInt said Vodafone, Ford, Michigan State University and the Ohio Department of Transportation may also have fallen victim to the same data breach that saw over 106 million credit applications and files stolen from a cloud server run by Capital One by an alleged hacker, Paige Thompson, a Seattle resident who was taken into custody by the FBI earlier this week.
Following reports from Forbes and security reporter Brian Krebs indicating that Capital One may not have been the only company affected, pointing to "one of the world's largest telecom providers, a government agency in Ohio, and a major US university, "According to Slack messages sent by the alleged hacker.
The same messages were published in a CyberInt report published Wednesday. "Other victims can be derived from filenames," the report said, including Apperian, Infoblox and Wakoopa.
The Justice Department said Thompson may have to pay extra costs – suggesting that other companies may have been involved.
We reached several of those named by CyberInt with mixed results. Only the Ohio Department of Transportation confirmed that data had been stolen and was working with the FBI. "At this time, however, we can confirm that the information in the referenced file contained only publicly available data and no private information was stored there," said spokeswoman Erica Hawkins.
Ford spokesman Monique Brentley told TechCrunch that it is "investigating the situation to determine if Ford information is involved."
Meanwhile, Vodafone spokesman Adam Liversage said the telecom giant "was not aware of" the data its stolen in the breach of Capital One.
And a Michigan State University spokesman said it receives "hundreds of threats and attacks on our system" and said it was "difficult to know if a recent was the alleged hacker from the Capital One situation."
"Our team is investigating, but at this time we have no information to share," said spokeswoman Emily Guerrant.
The hack to Capital One is the most important data breach this year. Data was stolen from an Amazon Web Services-based storage bucket, which included more than 140,000 social security numbers and over a million Canadian social security numbers, as well as other personal information.
Capital One said it became aware of the breach through a third party who reportedly saw the alleged hacker's claims and boasts of the thefts.
Security researcher John Wethington told TechCrunch that based on public information – including the Slack channel the alleged hacker was a member – probably other companies had stolen data.
“Based on the information gathered from publicly available information about the alleged hackers Github and Gitlab accounts, as well as public information from the Slack channel, it is clear that organizations including Ford, Vodafone and others are potential victims of what appears to be to be a massive sensitive data hacking, "he said.
As of this writing, Thompson faces five years in prison and a fine of up to $ 250,000.