Further investigation on Paige A. Thompson, the hacker accused of causing the Capital One data breach, has determined that Capital One wasn’t her only victim. She appears to have stolen sensitive data from more than 30 other companies.

According to new court documents, the government’s investigation over the last two weeks has revealed that Thompson’s theft of Capital One’s data was only one part of her criminal conduct. The servers seized from Thompson’s bedroom during the search of Thompson’s residence, include not only data stolen from Capital One, but also multiple terabytes of data stolen by Thompson from more than 30 other companies, educational institutions, and other entities. That data varies significantly in both type and amount. For example, much of the data appears not to be data containing personal identifying information. At this point, however, the government is continuing to work to identify specific entities from which data was stolen, as well as the type of data stolen from each entity. The government expects to add an additional charge against Thompson based upon each such theft of data, as the victims are identified and notified.

Thompson stated she neither sold, nor otherwise shared or disseminated any of the data that she stole (from Capital One or any other victim), and that the copy of the data that the government recovered during the search of Thompson’s residence is the only copy of the stolen data that she created. "It is too early to confirm that this is the case," the documents say. 

The data Thompson had access to includes “names, addresses, ZIP codes/postal codes, phone numbers, email addresses, dates of birth, and self-reported income”, but also “credit scores, credit limits, balances, payment history, contact information.”