How Criminals Could Use Veteran's Personal Data
NOAH ADAMS, host:
The government is struggling to clean up the mess from the theft of more than 26 million Social Security numbers belonging to the nation's veterans. It's still unknown whether or not that thieves, or thief, knew what he or she or they may have on the computer stolen from a VA employee's home.
We wonder what one might do with this information, in terms of making a profit. Mark Rasch is the former head of computer crime investigations for the U.S. Justice Department. He is now a senior vice president at the security management company, Solutionary.
Mr. Rasch, if you got it and you know what it is, what happens? How likely is it that somebody could turn these 26.5 million names into profit?
Mr. MARK RASCH (Senior Vice President, Solutionary): Well, the odds are that the person who stole it has no idea the value of what they've got and what the potential value is. But if you wanted to turn this to profit, the first thing you can do is just offer to sell it in the black market on the Internet for people who know how to turn it into valuable information.
There's a whole marketplace out there in chat rooms and in these black market activities where they just pay cash for this kind of information.
ADAMS: Well, if you were back in your old job with Justice, wouldn't you be on the Internet, right now?
Mr. RASCH: Well, the problem is that a lot of these chat rooms and a lot of these sessions and stuff are in secret rooms and in secret places that the hackers know about. And you can try to monitor them, but they move quickly and they move from place to place; and they're international.
And just because you can see that people are selling this information doesn't mean that you can find them or stop them.
ADAMS: Okay. But if some sophisticated bad guy group wants to find out - let's say the speculation is they don't know what they've got, but they sneak onto the Internet. Wouldn't that group do what exactly the Justice Department would be trying to do on the Internet, try to find it?
Mr. RASCH: Right. I mean, that's exactly what they would be doing - is that the Justice Department's going to be trying to monitor all these groups and see if there's an upsurge in the sale of this kind of information.
But there are other ways to do it even more secretly, instant messaging or messaging person to person, if you know who you're talking to. You know, it's just like any criminal enterprise. Once you make the connections with the right people, you just go ahead and sell the information.
And, of course, you can do this from your living room.
ADAMS: We've all seen too many movies, I'm afraid. Do you actually think there is a chance that some damage could be done?
Mr. RASCH: Well, probably what's happening is all this information is sitting in a dumpster in suburban Montgomery County, Maryland, somewhere. And the person got the disk, formatted the disk and, you know, that's all that they wanted. They just wanted the hardware.
And that's what happens in most of these cases. But if you had really evil people who wanted to do damage, they could do a lot of damage, not just identity fraud and identify theft. But, you know, you look at al-Qaida in Iraq, and they're targeting military personnel; they're targeting police there. This information could be used for terrorist groups to target military and former military people here in the United States.
ADAMS: And their dependents.
Mr. RASCH: And their dependents, as well. It could also be used by foreign intelligence agencies, because now military individuals are the ones who typically have access to classified information.
If I wanted to know who to target for espionage or for extortion or something like that, I now have a list of people that I know I can go after, as well as identity information.
Finally, if I wanted to get access to a military base, I now have a list of people who, at least, have potentially have access to those military bases. I can get their identities. I can social engineer or trick my way onto the bases using that information.
ADAMS: We just learned today, this happened three weeks ago. Is that a good sign or a bad sign that we haven't heard about anything being out there on the market?
Mr. RASCH: Well, the Veteran's Affairs deliberately didn't release the information, because they didn't want to tell the bad guys how valuable it was, the information that they'd received.
Typically it takes weeks or months to turn this stuff into new identities. So the fact that we haven't heard anything in three weeks doesn't necessarily mean anything.
ADAMS: Well, that clears up a mystery from yesterday, which was why are they making it public, because the people could then realize what they had, right?
Mr. RASCH: Hopefully, the people who had it have already formatted the drive. And if you wait long enough, they'll have discarded the information. But, you know, the worst-case scenario is this person stole the information not knowing how valuable it was, now hear this information and say, wait a second, I've got something really good here.
ADAMS: Right. Right. Talking with us from Dallas, Mark Rasch of the security management company called Solutionary. Thank you, Mr. Rasch.
Mr. RASCH: Thank you, Noah. Transcript provided by NPR, Copyright NPR.