The same data that’s out there about you can also be used against you and now it is

Guest:	Ron Zayas
Title:	CEO of Ironwall
Summary:	Reports of an Iranian‑linked group contacting U.S. troops using their own personal data points to a shift in cyber conflict from networks to people. It’s direct, personal and hard to defend against.

The Federal Drive with Terry Gerton provides expert insights on current events in the federal community. Read more interviews to keep up with daily news and analysis that affect the federal workforce. Reach out to Terry and the Federal Drive producers with feedback and story ideas at FederalDrive@federalnewsnetwork.com.

Interview transcript

Terry Gerton This latest incident, the Handala group, has gone from hacking systems to targeting people directly. Tell us what you know about this situation.

Ron Zayas So there’s two things to understand here. One is that this is a common thread of what’s going on. It’s very hard to go after servers. They’re much more hardened. It’s very hard to go after organizations per se. So why not go to the soft underbelly, which are the people who make up those organizations? So dirty secret number one is that Handala, if they were the ones who did this, aren’t doing anything different than what other hackers are doing. They’re going after individuals, targeting them to get into the organization. The other dirty secret in all of this is that the information that they’ve released can probably be bought commercially by almost anybody in this country at any time. That’s the real dirty secret.

        Earn CPE credit: The latest webinar from the Billington CyberSecurity Cyber and AI Outlook Series will focus on the real-world risks facing AI deployments across the federal landscape. Register now!

Terry Gerton So tell us more about how they pulled all of that perhaps commonly available, or at least publicly available, data together to target individual service members.

Ron Zayas So let’s understand that information is a chain rather than milestones along the way. So first of all, if I know where you work, and for maybe people in the military that’s not always the most public information, but if you are applying for credit, if you are applying to do something, who your employer is, is using public information. Even if you’re in the Military. So that’s number one. All of that information is reported by credit agencies and then there are data brokers who pull this information together, buy it from all these different sources and then make it available to anybody who’s willing to pay. People finder sites, if you’re familiar with sites like Spokeo and BeenVerified, they buy information from these data brokers and they make it available to individuals. But there’s this whole ecosystem of gathering information. And if you think about somebody’s employer, if you’re in the military, it’s the military. Then put the chain of information together. Most of these profiles will have anywhere from 200 to 2000 pieces of information about you. So it’ll include your family members. It’ll include your phone number. It will include what apps you have signed up for. Put those pieces together and you start seeing how I can find out who’s in the military. I can find out who their family is. I can look at their social media. If you had somebody in the military that was deployed somewhere, you would probably use social media to contact them, to talk about them, to give them the support, the things we ought to be doing to supporting family and loved ones when they’re far away. But this information can now be used since I know you’re the spouse of, the child of, the sister of. Now that I know that, I can monitor your social media and find out where that person might be. If I know what apps they have, I can pull that all in together and find out are they using a jogging app, are they’re using a help app that I can either target or buy the information from and put all the pieces together and find out exactly who is where. They didn’t do anything brilliant here. They did something that If you put enough effort into it, you could put all the pieces together.

Terry Gerton It might not be brilliant, but it certainly is frightening. If an individual service member or even a federal employee, a civilian federal employee gets a message that says, we know who you are and we know where you are, that’s going to have an immediate impact. What is the objective of the hackers here in this situation?

Ron Zayas I think there are usually two directions that they go. One is strictly morale. And where you’re saying, as frightening as that is for the military person, think about the family member. Think about somebody going after the family and saying, we know that your loved one is over there, we know what they’re doing and we can attack them at any time. Or, attacking the family because they know that one individual is not there and what that does to morale when you are a service member and your spouse or your children might be attacked, whether it’s financially, whether it is with physical threats or whatever it may be, that you can’t be there to help. That’s truly one, and I think that that’s the biggest vector that we’re probably seeing the type of information that’s being released here. The other vector is to really look at how can we use, if we know a lot about that service member, we can probably guess passwords. We can probably guess what access they have. We can get into their email and then use that to scam others to get their credentials and work our way up. Many ransomware attacks, for example, today, I think it’s something like 70% aren’t going through the servers. They’re going through the individuals to get to the organization. It just so happens that these people work for one of the most critical organizations that our country has.

Terry Gerton Ron Zayas is CEO of Ironwall. Ron, everybody that we’re talking about here, every federal employee, every member of the military has clicked through cyber training. Don’t click on these kinds of phishing emails, don’t respond, you know, report them. But you talked about this being the soft underbelly, the most vulnerable channel of hacking. What can we do to make this more difficult?

Ron Zayas And I think there’s two points here to bring up. Number one is we all have had training and I’ve been doing this for 30 years. I’m a security expert, I’m very sensitive on this. I would be lying if I said I haven’t clicked on something that was very questionable. We are trained to think of the past attacks. Think of things like the Nigerian Prince. Something comes in and says, I don’t know you, but I’ve got $30 million for you, key number one. Key number two, it’s badly written English. It sounds like Yoda wrote it. Key number three, the email is from Ruski @ something.ru. We get all that and we move on. But what happens when it sounds like it’s coming from a family member? What happens when the email is either the real email of your family member or it’s very, very good? So if your family number is John Smith, then it’s johnsmith123@Gmail. That makes sense. What happens when they’re referring to personal things about the trip you took last week or your wife’s nickname or your son’s, you know, birthday coming up? When all of those happen, our defense is just fall. That’s why it’s a soft underbelly and all of that is based upon information, so just like everything else, If you’re going after drugs you cut off the money. If you’re going after weapons, you cut out the money. Well, in our society today, you cut off the information. What we need to do is to understand that our military, like federal employees, are being targeted by the jobs that they do. It’s a responsibility of the organizations that they work for, in my opinion, to help cut off that information and to pull that information back from organizations that are selling it without any regard to who they’re selling to or why they’re selling it other than it’s a $500 billion a year business.

Terry Gerton What actually would you propose as policies or practices to cut off the information flow that you just described?

        Sign up for our daily newsletter so you never miss a beat on all things federal

Ron Zayas Four things that I would say, one is policy, we should be looking at ways to protect people’s information more than letting it be out there. And I understand your point of, it’s already out there, but really they want us to be victims and they can be anybody. And they want to get into the mentality that there’s nothing we can do, but we can and there are lots of things that we can today. Number one is to continue to talk to your elected officials, to your employer and say, we need the policies in place that make it harder for people to steal our information. Today, there are only about 16 states that have some protection. California leads by far. And now there’s a bill before the Congress that would really tend to water down those protections and stop states from doing more. We need to go the opposite direction and understand that’s not right for our military. That’s not for federal employees. That’s right for people in the country. The second thing to understand is that your employer has a responsibility in this too, not only to protect themselves as they do with other cybersecurity, but to protect the people who are being targeted simply because they work. And there’s lots of economical ways that businesses can help do this. The third thing is there are companies, and this is self-serving, this is what my company does, but that we go out there, we find, we target and we remove that information. That’s what employers could be paying for. Unfortunately, more and more people, we’re paying for that. We protect more than a million people in the U.S. and they’re paying to do all this. And then the fourth thing is that we need to understand as individuals that if somebody asked you for your social security number, you wouldn’t give it to them. Your mobile number is as important as your social security number. If I know your mobile number, I know who you are. I can find out who your family is. You don’t change your mobile number even when you move anymore. So don’t give out information. When somebody says, give me your mobile, number give me your email, and they’re asking for it like candy, start saying no, or start doing things like having alternate phone numbers, alternate email address that you can change constantly so that you can’t be tracked. It’s a lot of work and it makes more sense to hire some people in this case to be able to remove all that information for you, but don’t give it out as if it were candy, no more than you would give out your credit card or your social security now.

Terry Gerton That is really deep and expansive advice. I’m thinking for people who don’t live in the cyber threat world all the time, that they’re just going about their day job, they are taking care of the kids, walking the dog, doing whatever, I think we might have a failure of imagination here. And so when you look at the field from an expert perspective, what do you see coming next down the road?

Ron Zayas Well, it continues to expand what that information is. Understand that what’s coming up is that, and what part of it is already here, is when you have information, you can target somebody. So if you were going to scam somebody and you could learn everything about them, that gives you an advantage. But you still implement one by one. AI allows you to implement that in ways that are very targeted across hundreds of thousands, if not millions, of people. And then you can use video, you can use audio to replicate what is out there. Understand that as humans, we evolved to work together. We evolved to see other people and say, I trust somebody or I don’t trust somebody because I need to do that. AI makes all of that fakeable, for lack of a better word, even if that were a real word. It allows it at scale to turn information and to weaponize it. That’s what we’re up against. And it’s very hard when you, you know, my parents are in their upper eighties. They are very intelligent and well-educated people. But if they receive a phone call, from one of their grandchildren. That is their voice and sounds like they’re in danger, any training is going to go out the window. They are going to respond to that. AI can do that, and it can find that information out in lots of other ways. We have to cut off the flow of information. And I understand we’re all living our busy lives. That’s why a lot of times we hire other companies to do this and remove it on a daily basis. But we also have to understand that just like we had safe words with our kids about strangers, we have to do that too. We have to have some things that are shared that we don’t put on social media. And please stop oversharing on social media. If you have these private words, these private things, when something like this comes up, you can ask that question. Oh, I’m so sorry, Timmy, that you’re in Spain and have been arrested and need $500. Can you please tell me that magic word we have together? And it stops right there, as long as you haven’t shared it anywhere else. These are little things that we can do and start showing our families and our kids what the danger is. It isn’t about being scammed for $500, it isn’t your credit card being ripped off. It’s really about your personal safety and the integrity of your family and what people can use to exploit.

 

Copyright © 2026 Federal News Network. All rights reserved. This website is not intended for users located within the European Economic Area.