Terry Gerton: This recent incident involving the Handala group marks a shift from system hacking to directly targeting individuals. What can you tell us about this development?
Ron Zayas: There are two key points to grasp here. First, this reflects a broader trend. Attacking servers is increasingly difficult due to stronger defenses, and targeting entire organizations head-on is equally challenging. So, attackers are turning to the most vulnerable point: the people within those organizations. The first open secret is that if Handala was responsible, their tactics aren’t unique—many hackers now focus on individuals as a gateway into organizations. The second, more unsettling truth is that the data they’ve exposed is likely available for purchase by virtually anyone in the country, at any time. That’s the real issue.
Terry Gerton: Can you explain how they might have compiled this seemingly public or commonly accessible data to specifically target service members?
Ron Zayas: Think of information as a chain, not isolated data points. First, even if your military role isn’t widely known, your employer information becomes public when you apply for credit or other services—even for service members. Credit agencies report this, and data brokers aggregate it from numerous sources, then sell it to anyone willing to pay. People-search sites like Spokeo or BeenVerified buy from these brokers and offer it to the public. This creates a vast data ecosystem. For someone in the military, linking their employer to the armed forces is straightforward. These profiles often contain 200 to 2,000 personal details: family members, phone numbers, apps used, and more. By connecting these dots, an attacker can identify service members, locate their families, and monitor social media. If a deployed service member’s family uses social media to stay connected or offer support, that activity can reveal the member’s location. Knowing which apps they use—like fitness or health apps—allows attackers to either target those platforms or purchase location data, piecing together exactly who is where. This isn’t a sophisticated breakthrough; it’s the result of persistent effort to connect publicly available information.
Terry Gerton: It may not be sophisticated, but it’s certainly alarming. If a service member or civilian federal employee receives a message stating, “We know who you are and where you are,” the psychological impact is immediate. What are the hackers’ goals in this scenario?
Ron Zayas: Their objectives generally fall into two categories. The first is purely psychological—undermining morale. Consider the effect on a family member who receives a threat saying, “We know your loved one is deployed, we know their activities, and we can act at any time.” Or, targeting the family directly because the service member isn’t present to protect them. Whether through financial scams, physical threats, or other means, the fear and helplessness this creates can severely damage a service member’s focus and morale. This appears to be the primary aim behind the type of information being leaked. The second goal is operational: using detailed personal knowledge to guess passwords, identify system access, compromise emails, and then use those accounts to phish others, escalating access within the organization. Today, around 70% of ransomware attacks don’t breach servers directly—they infiltrate through individuals. In this case, those individuals happen to work for one of the nation’s most critical institutions.
Terry Gerton: Ron Zayas is CEO of Ironwall. Ron, every federal employee and service member has completed cybersecurity training—avoid phishing emails, don’t respond, report them. Yet you’ve described this as the “soft underbelly,” the most exploitable vulnerability. What can be done to reduce this risk?
Ron Zayas: Two important points. First, we’ve all had training, and I’ve worked in security for 30 years. I’d be dishonest if I claimed I’ve never clicked on something suspicious. Our training prepares us for past threats—like the “Nigerian Prince” scam: unsolicited, poorly written, from a dubious address. We recognize those and ignore them. But what happens when a message appears to come from a family member? When it uses their real email or a convincing imitation (e.g., johnsmith123@gmail.com)? When it references personal details—last week’s trip, a spouse’s nickname, a child’s upcoming birthday? Our defenses collapse. That’s why this is the soft underbelly. All of this hinges on accessible personal data. Just as combating drugs or weapons requires cutting off funding, addressing this threat requires restricting information flow. We must recognize that military and federal personnel are targeted because of their roles. It’s the responsibility of their organizations to help shield this data and reclaim it from entities that sell it indiscriminately, in a global industry worth hundreds of billions annually.
Terry Gerton: What specific policies or practices would you recommend to restrict the information flow you’ve described?