Dena Temple Raston

From recorded future news and prx, this is click here. Hey, there, it's Dena. A quick note before we start. Twice a month, we team up with our friends over at 1A for something we call Cyber Monday. Host Jen White and I talk for

a bit, and then we play a

Click Here episode and then take calls from listeners. Today's Cyber Monday is about securing personal data. Many companies will pay top dollar for personally identifiable information, also known as pii. That's our names, our birthdays, and our Social Security numbers. The thing is, those things help scammers do their work. And on a recent Cyber Monday, we looked at how personal data became a global commodity and what happens when it ends up in the wrong hands. The first voice you'll hear is one A's host, Jen White. Take a listen.

Jen White

Dina, welcome back to the program.

Dena Temple Raston

Thanks so much.

Jen White

So when people hear the words personal data, we usually think about maybe the ads that follow us around the Internet. But your reporting found something much darker. There's this whole economy built around personal data. What? Walk us through what that economy is and what it looks like.

Dena Temple Raston

Well, so personal data isn't just being used to sell you shoes or vacation packages anymore. It's become this sort of raw material for all kinds of fraud. And there's literally a whole global economy built around it. So we all know our data is being collected, and often it's being collected legally by companies that you interact with every day. But what most people may not be aware of is that it's packaged, it's sold, and it's resold. And most of the time, that's fine. It's allowed. The problem is, is that once the data exists in that sort of data marketplace, it can move very easily from legitimate use into criminal use without the data itself ever really changing.

Jen White

So how much of delineation is there between that legal use in one context and the criminal use in another?

Dena Temple Raston

Well, see, this is the problem that we discovered when we reported this, that the line between those two worlds is much thinner than people realize. And that's what makes this so difficult to regulate and to police. Because data doesn't suddenly become illegal. The thing that makes it illegal is the intent behind its use. In other words, you can buy data and that's all legal, but you can't be prosecuted for what you did with that data unless you had an intention of committing fraud. In other words, let's say you sell it to someone you didn't know that they were going to commit fraud, you're not liable. But you know Anyone who buys data with the intent of committing fraud, they've broken the law.

Jen White

But there's something chilling, Dina, about the idea that our personal data, this information that follows us through our lives, really from birth to death, that it's legal to move it around, that it can just be sold.

Dena Temple Raston

It's kind of crazy, not just that it can be sold, but also that they're sort of dealing with this small, sort of threading a needle of how you can hold somebody accountable for that. Right. Just focuses on intent, what someone planned to do with the data. And that intent, as we know, just in regular legal procedures that we see is often really hard to prove, because buying the data isn't illegal. You know, using it to open a bunch of credit cards or to file fake tax returns or to take over somebody's identity, that's when it gets illegal. So law enforcement often finds itself chasing outcomes instead of trying to prevent this from happening in the first place.

Jen White

So someone can purchase your data. It could take a long time to make the case that there was intent to use the data illegally or that it actually was used illegally. In that time, how much damage may already have been done?

Dena Temple Raston

A huge amount of damage. Think about it. Because your data doesn't change a stolen credit card, you can cancel it or it expires. Personal data doesn't expire. You can't cancel your birth date. You can't cancel your Social Security number. You sort of can, but you can't just. It's not as easy as you have to call the Social Security Administration. So the issue is that once that information is out there, it can keep causing harm for years. And it has this ripple effect where you think you've taken care of it and maybe you haven't.

Jen White

We're talking to Dina Temple Rastin. She's the host of Click Here and we're hearing from you. Jennifer writes, someone tried to file for an income tax refund using my Social Security number. The attempt was flagged because I had a history of using TurboTax, not mailing it in. I got lucky in that regard. I now have an electronic PIN mailed to me each year to file my taxes. I also went to the three credit reporting agencies websites and manually froze my credit. Unfreezing. It can be tedious when I'm applying for a loan or a credit card, but it's rare that I need to do it. And it gives me peace of mind to know that people can't access my credit history based on my Social Security number alone. If you've had an experience with having your personal data stolen. We'd love to hear about it. What did you do? Email us@1aamu.org Adina the theft of private data. It's not a new problem, but it does feel like it's accelerating. I feel like every other month I get an email from, you know, some company that says, oops, we had, we had a data slip. Why is that?

Dena Temple Raston

Well, hackers are getting better at it. And also, you know, we generate more data than ever before. More companies collect it, more intermediaries sell it, and at the same time, the tools for abusing that data have become more powerful and far more accessible. Dare I say it, AI can help in this, right? So this really isn't about criminals just getting more sophisticated. It's about how all of this is starting to scale. And it's easy to think of data as being this kind of abstract thing, just numbers, just files. And the whole human component of data is really easy to brush aside. If you rob someone on the street, you're face to face stealing data just, it can cause the same kind of financial harm, but you're not looking someone in the eye when you're doing it. And I think a lot more people get into it for that reason. And that distance makes it easier to rationalize and maybe easier to keep going. That's what we found when we talked to scammers.

Jen White

But what's interesting, Dean, is over the last 20 years or so, it feels like we have also gotten more removed from our personal data, our sense of ownership or protection. Not all people, but I often hear folks say, well, look, our data's out there anyway, so why am I worried about xyz? How have you seen that relationship shift?

Dena Temple Raston

I think it's just, you know, you fill out data for apps or whatever it is all the time, right? Like apps are following you around unless you opt out of that. You know, Facebook is sending you things instead of unless you. Or meta, unless you opt out of that. So the default is to give people your data instead of the opposite, which would be. And that there have been movements to try and do this in which people have to ask you for your data instead of just assuming that they get it.

Jen White

We got this email from Denise, who says, I had my personal data stolen 12 years ago, right around when I was renewing my passport via the usps. I was first alerted by an online retailer and later learned that a bogus tax return was filed in my name. I had to file a police report and arrange an appointment at the IRS to Clear my name. I froze my credit reports and set up a requirement that I receive a phone call anytime credit is being opened in my name to confirm it is me. I also started paying for credit monitoring. In the years since, I have been the subject of many data breaches. It's now just a fact of life in a digital world. Well, Dina, we're going to hear some of your reporting in a moment. And the story's about a young man who committed these kinds of data crimes. What struck you most about his story?

Dena Temple Raston

Well, I think what people should listen for in this is how human he actually sounds. And the reason why we ended up doing a story on him because we don't really like to platform these bad guys and, you know, have them boast about everything they've done. What made him unusual, he's a young Vietnamese guy who was very good at computer. It didn't really feel like what he was doing was a crime. Cause it was just numbers. He was making lots of money, but he didn't sort of see it at the human connection of it. And what was so unusual in talking to him is the amount of remorse he felt. And I don't want to ruin the story, but what he ended up doing with his life as a result because of this remorse.

Jen White

How often in your reporting do you find that this is the work of individuals rather than the work of, you know, maybe organized gangs who are doing these types of crimes?

Dena Temple Raston

I think they're both. I think we should think about these individuals not as being the guy with the hoodie or the woman in the hoodie in their basement hovered over their laptop. I think we should think of these people more as contractors because that's the way it's working now. So these big gangs aren't people who stay together forever. Revil or Conti or these other gangs you might have heard of lock bit. These are not discrete people who always work together. Instead of it's a flow of people coming in and out of these groups. This is the reason they've gotten so effective is because they just hire people for particular skills like you would a contractor. This guy's good at cabinets. This guy's good at floors. This guy's good at breaking into systems. This guy is really good at opening up credit cards. This guy's good at filing tax returns, that sort of thing.

Jen White

So what does this all mean, the technology continuing to develop, people who are expert at this, the network around these types of data crimes. What does it mean for our ability to rein it in and get a better hold on. Protecting people from being victimized.

Dena Temple Raston

Well, I think one of the big things is you need to be really aware of where you're dropping your data and think twice before you click on something. Or if something looks a little weird to you. When you get a weird email that's out of character, even if it's from like Microsoft or Apple, double check the URL address, the one in the window. Make sure that there's not a spelling mistake in there. If it is, it's a scammer. And if you do have this fraud problem, report it to the FTC. You file a report@identitytheft.gov and they will give you a whole recovery plan so you don't feel like you're on your own.

Jen White

That's Dena Temple Raston. She's the host of Click Here, a new public radio show and award winning podcast about how technology is changing everything. It's from Recorded Future News and prx. Dena, it's always great to talk to you. Thanks.

Dena Temple Raston

You're welcome.

Jen White

When we come back, a story that takes us inside that hidden data economy. From a small town diner in New Hampshire to Internet cafes halfway around the world, and into the gray space between what's legal and what causes real harm. Have you ever had your personal data stolen? If so, how did you protect your information moving forward? We're also taking your questions about how to prevent data theft. Email us@1aamu.org I'm Jen White. This is 1A from WAMU and NPR. Foreign.

Dena Temple Raston

Support for Click here comes from Servolai. Did you know that your IT team wastes half their day on repetitive tickets? The more your business grows, the more these requests pile up. Password resets, access requests, onboarding, all pulling it away from meaningful work. With Servol AI, you're guaranteed to cut half of Help Desk Tickets by Week

4 of your free pilot.

It's easy to see why this makes sense. It saves time and money and lets IT teams focus on actual problems. And while legacy players are scrambling to adapt in the age of artificial intelligence, Servl was built for AI agents from the ground up. Your IT team describes what they need in plain English and Servl generates production ready automations instantly. Servil powers the fastest growing companies in the world like Perplexity, Mercer, Verkada and Clay. Get your team out of the help desk and back to the work they enjoy. Book your free pilot@servl.com clickhere that's S E-R-V-A-L.com clickhere support for click Here comes from Quince. Are you working on your capsule wardrobe? Quince has you covered. Quince is all about elevated, effortless essentials that are designed for layering and mixing. They've got all the essentials you need to build a timeless wardrobe that will last season after season. Quince uses the highest quality materials. The stitching, fit and fabric speak for themselves with versatile silhouettes and thoughtful details. You'll find low key luxury for every occasion. Luxe cotton cashmere blends perfect for changing seasons. Premium denim made with stretch for all day comfort. These are the pieces you'll reach for over and over. And for me, as a conscientious consumer, what stands out most is that Quince works directly with safe, ethical factories. Not only does that make me feel good about what I wear from Quince, it means they have cut out the middleman. So I'm not paying for a brand markup just for high quality clothing. My new cashmere quarter zip sweater is my favorite sweater. I'm reaching for it all the time. Super soft, great fit. I love it. Refresh your wardrobe with Quince. Don't wait. Go to quince.com clickhere for free shipping on your order and 365 day returns. Now available in Canada too. That's q u I n-e.com clickhere to get free shipping and 365 day returns. Quince.com clickhere it is called Internet. I use the World Wide Web information superhighway. Cybersecurity. Why do things go viral?

Jen White

Click here. This is 1A I'm Jen White. We're talking about the hidden data economy that's responsible for the theft of hundreds of millions of people's personal information. It's part of our Cyber Monday series, an ongoing partnership with Click Here from Recorded Future News and prx. Click Here Host Dena Temple Rastin spoke to a young hacker in Vietnam who stole and sold personal information about how and why he did it. Here's our conversation.

Dena Temple Raston

It all started with a diner. Matt o' Neill was sitting at the counter in New Hampshire, black coffee in hand, thinking about stolen credit cards.

Matt O'Neill

So I was working point of sale terminal hacking cases.

Dena Temple Raston

He was investigating financial crimes, but not with the FBI or local law enforcement. He was with the Secret Service. And back in 2012, Matt was feeling a little bored with all his New Hampshire cash register cases. And he stumbled across this website. It was selling people's identities, something called pii, Personally Identifiable information. And it was selling it right in the open. So Matt got Curious, he logged onto the site and punched in the names of a few people he knew. And sure enough, and I could buy

Matt O'Neill

the name, date of birth, Social Security number, address and previous addresses.

Dena Temple Raston

He thought, well, maybe that's a fluke. So he typed in more names.

Matt O'Neill

Literally every single person that I queried. I found all of their pii you could ask to purchase things like, hey, I'd like to buy 50 men in New Hampshire, ages 18 to 30, something like that. And then he would send you in

Dena Temple Raston

an email pii to hear human go tell it. He didn't mean to become one of the world's most prolific identity thieves. In fact, when he was growing up in Vietnam, computer crime wasn't really a

Hugh (Vietnamese hacker)

thing because Internet is so expensive. In Vietnam, lots of people, they don't even have computer.

Dena Temple Raston

His parents ran an electronics store. His uncle sold computers, which is how he became one of the first of his friends to actually get a laptop.

Hugh (Vietnamese hacker)

At first, I didn't know much about computer, so I just played with it.

Dena Temple Raston

And he did what a lot of kids do with a new toy. He'd break it, fix it, break it again. And his parents couldn't afford all this, so they sent him to Ho Chi Minh City to live with his uncle and learn how to use computers properly.

Hugh (Vietnamese hacker)

I didn't study much because a lot of my time I spent on computer. I sleep on computer, I study on computer, everything on computer.

Dena Temple Raston

And for a while, it was the typical boy meets computer boy, loves computer boy, spends all his time with the computer story. Until Hugh ran into this stranger at an Internet cafe and he saw a flicker of something forbidden on his screen.

Hugh (Vietnamese hacker)

Suddenly, I see him browsing some very dark website, the Dark Web.

Dena Temple Raston

Hugh had never seen it, never even heard of it, but he soon found out it was a secret world of drugs and fraud and cybercrime.

Hugh (Vietnamese hacker)

And then he's saying, yeah, if you want to open an account, just let me know. And then he showed me sign up an account and the Dark Web.

Dena Temple Raston

He didn't have to ask twice. Hughes just dove in. Tutorials, forums, stolen credit cards, bank accounts.

Hugh (Vietnamese hacker)

At first I just had for fun, you know, like I have the website sent into database and stealing the credit card and bank accounts, and I just share for free.

Dena Temple Raston

But that straight path didn't last very long, because soon Hugh and a friend were holed up together, living, hacking, laundering money.

Hugh (Vietnamese hacker)

Every night I always start making money, like 1,000, 2,000 easily.

Dena Temple Raston

He told his parents he was a programmer, a good one, and technically, that wasn't a lie. He used the money to enroll in college in New Zealand. And he majored in computer science, naturally. But the deeper he got, the more invisible the line between right and wrong became. He was getting rich and he was getting sloppy. Someone noticed and suddenly he was caught.

Hugh (Vietnamese hacker)

So they asked me to return the money to the victims.

Dena Temple Raston

How much money was it?

Hugh (Vietnamese hacker)

Like more than 20,000 USD.

Kevin Hamlin

Wow.

Hugh (Vietnamese hacker)

Right? Okay. So I returned all that money to the victims. And then I was so scared, I ran back to Vietnam.

Dena Temple Raston

But he couldn't quite stay away from the scene of the crime, his beloved Internet cafes.

Hugh (Vietnamese hacker)

At the Internet cafe, we chit chat and we exchanged information. And I told him, you know, I don't want to touch the computer again, you know, it's so dangerous for me.

Dena Temple Raston

But the temptation had a way of drawing him in when the glow of the screen was that close. And the thing is, data, data isn't inherently illegal. There's a whole industry built around collecting it and packaging it it and selling it legally. You've seen the results. Those ads that pop up a little too conveniently after you search for boots or books or divorce lawyers. So there he was, same cafe, same crowd. When someone suggested a workaround, a loophole, why not become a legitimate data broker?

Hugh (Vietnamese hacker)

So they told me about Social Security numbers, US identity.

Dena Temple Raston

Nobody in Vietnam was selling that kind of data. So when a friend told him he could be the first that he could break open the market, it stuck with him. Hugh sat down at his computer and broke his promise. He invented someone, a private investigator. He called Jason Wheel, a phantom with credentials. And here's the loophole. Real private investigators, actual ones, can buy personal data legally using that fake identity. He approached a data broker who sold him a trove of Social Security numbers. And with that, Hugh opened shop and waited.

Hugh (Vietnamese hacker)

Within the first few weeks, the money come into my account like crazy. I couldn't believe my eye. Man, this is so easy money.

Dena Temple Raston

Hugh had stumbled into a weird quirk of data theft. Unlike credit cards, PII lasts forever because you can't cancel a birthday, which means you can sell those things again and again.

Hugh (Vietnamese hacker)

I was able to obtain roughly around 200 million U.S. identity.

Dena Temple Raston

200 million. That's nearly 60% of the U.S. population. He wasn't dabbling anymore. He was building one of the largest identity theft operations the world has ever seen. By the end, more than 13,000 people's identities would be stolen using his website.

Hugh (Vietnamese hacker)

And then I decided to open a website that providing stolen data as a service.

Dena Temple Raston

He was so confident that he could get away with selling PII that He began to sell it openly on the clear Web.

Hugh (Vietnamese hacker)

I was marking, like, up to more than 100,000 USD.

Dena Temple Raston

A month?

Hugh (Vietnamese hacker)

Yeah, a month.

Dena Temple Raston

For nearly two years, Hugh lived like gravity. Didn't apply to him. He made millions. He bought sports cars, real estate. A fantasy life built on stolen names and birth dates. But every con has a shelf life. And Hughes was about to expire because halfway across the world, that Secret Service agent Matt o' Neill was closing in.

Matt O'Neill

It's not necessarily illegal to sell other people's PII. So I could sell you 5,000 Social Security numbers, but in order to charge me, you have to show that I knowingly sent it. With the knowledge that you intended to commit fraud.

Dena Temple Raston

PII in the hands of a data broker using to target you with ads is annoying, but it's not against the law. The same personal data in the hands of a criminal? Well, that's different.

Matt O'Neill

I can use it for things like stolen identity refund fraud or account takeovers or new account fraud.

Dena Temple Raston

Matt needed to prove Hugh was selling data for that kind of reason. So he made a decision, a bold one. He'd walk right in, pretending to be a customer.

Matt O'Neill

So I created an account, and then I emailed him, and I basically said, hey, I'm trying to buy some Social Security numbers, and I'm using it for tax return fraud. Can you confirm if I buy this, you're not going to sell it to anybody else? Because if I'm going to buy your Social Security number and file a fraudulent tax return, the IRS considers the first filer the legitimate filer.

Dena Temple Raston

And Hugh, thinking this was just one more potential customer, quickly replied, no, no, no.

Matt O'Neill

Once you buy it, I take it out of circulation.

Dena Temple Raston

That single line, it erased all plausible deniability. That got him a search warrant. And with that, he and his team set about combing Hugh's accounts, looking for evidence. And in this haystack of emails, he found needle after needle, incriminating correspondence. And even the server Hugh was using

Matt O'Neill

to host his website, we realized that Super Get.info was being hosted actually in the United States.

Dena Temple Raston

He used that to get another search warrant. And as he was pawing through the server, he found something else.

Matt O'Neill

We were able to get his payment information, and he was using a credit card that actually comes back to him. This is Hugh. Hugh's in Vietnam. Hugh's probably working alone. And here's where his infrastructure is.

Kevin Hamlin

Boom.

Dena Temple Raston

They had their guy, and they knew exactly where he was. There's just one problem. The US doesn't have an extradition treaty. With Vietnam. So Matt thought he needed to get Hugh out of Vietnam to force him to go someplace where the US had jurisdiction. So Matt came up with a ruse.

Matt O'Neill

We arranged for a cooperating defendant who lived overseas, who was a pretty well known fraudster, to reach out to Hugh and basically say, hey, I know who you are. You've been making way too much money off of your website. I'm shutting you down. If you want to get in business, you're going to have to come through me.

Dena Temple Raston

And then to make sure Hugh knew this fraudster was serious, Matt actually arranged to shut off Hugh's PII supply by going to the company Hugh was getting data from and asking them to freeze his account.

Matt O'Neill

And then we sent him a follow up email from this fraudster that basically said, see, I told you, you know, if you want to get back in business, come through me.

Dena Temple Raston

It got Hugh's attention.

Hugh (Vietnamese hacker)

I got used to making so much money every month and living a lavish

Dena Temple Raston

lifestyle, but now someone was threatening to shut it all down. The longer his supply was cut off, the more Hugh started to emerge from the fog of this criminal life he'd chosen. You start to see this as a chance to maybe turn his life around. He thought, okay, I'll go meet this

guy, get my data back, and then

I'll start selling it legitimately. You know, keep the skills, but ditch the crime.

Hugh (Vietnamese hacker)

And I will try to see if I can become a real legitimate businessman because I got so tired of doing this.

Dena Temple Raston

So he responded to the email and said he was open to talking. And Matt, posing as the dark web rival, wrote back. He told Hugh that if he was going to do this deal, it had to happen in person.

Hugh (Vietnamese hacker)

He offered me to Australia, to New York, to wine. I said, no, man, too far. It's so dangerous for me. He said, yeah, I think my business partner can set up a meeting.

Matt O'Neill

We arranged for an in person meeting in Guam.

Dena Temple Raston

Guam, a tropical outpost in the western Pacific just five hours from Vietnam. To Hugh, it seemed close enough to feel safe. But what Hugh didn't realize was that Guam is a US Territory, and tucked among the palm trees and coral beaches, there is a Secret Service field office.

Matt O'Neill

And so I sent two agents from the Manchester office to Guam, and the Secret Service sent a really good agent that spoke Vietnamese to do translation in case we needed it.

Dena Temple Raston

So in February 2013, Hugh boarded a plane with his sister who had agreed to serve as a translator.

Hugh (Vietnamese hacker)

Right after we landed, we went to the custom office. And then they hold me back. They say, yeah, we need to see you at the office.

Dena Temple Raston

He was escorted to a back room. And in his mind he was hoping that this was just an extra screening. But as soon as the door closed, the charade fell apart.

Hugh (Vietnamese hacker)

I was there four or five hours straight. They questioned me a lot. And at the end I admitted everything. And they say, man, the game is over.

Dena Temple Raston

The Secret Service put him in handcuffs and escorted him away. And then just like that, human go was in US custody. A20 something locked up in a foreign country where the language, the customs, even the prison system felt completely alien.

Hugh (Vietnamese hacker)

At one point, the federal judge told me that he received more than 10,000 letters from the victims about my case. Very sad story. The victims couldn't afford the house, couldn't afford the call because of me. Selling their identity, sitting behind a keyboard

Dena Temple Raston

in Vietnam, it had all felt so far away. Now it was inescapable. The damage, the ripple effects, the real guilt.

Hugh (Vietnamese hacker)

I was thinking, I have to improve myself. I have to change myself. I have to do something.

Dena Temple Raston

He learned English, joined an addiction program. He tried to make amends. He handed the keys to super get.info over to the feds. And for two years, the secret Service ran the site as a full blown

Matt O'Neill

sting, communicating with all of his biggest buyers that we arrested a fair amount of them. We got them to make incriminating statements about what they were using the PII for. And then we lured them and arrested them.

Dena Temple Raston

One arrest after another, one trial after the next. The lingering damage of Hughes crimes started to disperse. And then in November 2019, I remember

Hugh (Vietnamese hacker)

I was sleeping around 2, 3 o' clock at night, and the prison guard, he woke me up.

Dena Temple Raston

They handcuffed him, shackled him and put him on a bus and told him only that they were going to New Hampshire.

Hugh (Vietnamese hacker)

I'm so scared. I was thinking a lot of bad things, you know, like the worst thing

Dena Temple Raston

could happen to me in New Hampshire. They brought him back to the original,

Hugh (Vietnamese hacker)

the same judge that sentenced me. He told me, you just need to share your story. So I stand there for almost three hours. I was sharing my case. Not my case, my life.

Dena Temple Raston

And a few days later, he got a phone call.

Hugh (Vietnamese hacker)

The public defender, he called me and he told me that I got immediately

Dena Temple Raston

released after seven years behind bars. After all the cooperation, Hugh was released with time served. Back in Vietnam, Hugh didn't return to crime. He took a job with Vietnam's National Cybersecurity Center, a place where his old skills could finally do some good. And are you kind of like hacking the hackers now?

Hugh (Vietnamese hacker)

Yeah, when I Hunting the cyber criminal. It just feels like, you know, kind of talking to myself back in the day. Sometimes it's very easy for me to talk to hackers or cyber criminals because I understand them, I know how to talk to them.

Dena Temple Raston

Since getting out, he's helped law enforcement around the world track down cyber criminals. He founded a nonprofit. He trains officers in the very tactics he once used to evade them. And now he's something else entirely.

A father.

And his daughter, well, she's a chip off the old block. She plays with computers, and among her first words, hack, hack.

Hugh (Vietnamese hacker)

Was she playing on my computer all the time, though? Every night she said, hack, hack.

Dena Temple Raston

But now it's a game, not a gateway. A word once soaked in fear, now is just part of his toddler's play. This is Click Here.

Jen White

That was the host of Click Here. Dena Temple Raston. Up next, we hear from two cybersecurity experts about how you can protect your privacy private data against online hackers. That's just ahead. I'm Jen Moyndt. This is one.

Hugh (Vietnamese hacker)

A.

Dena Temple Raston

Support for Click Here comes from Claude. Claude is the AI for minds that don't stop at good enough. It's the collaborator that actually understands your entire workflow and thinks with you. Whether you're debugging code at midnight or strategizing your next business move, Claude extends your thinking to tackle the problems that matter. I like it for research because when I'm digging into a story, sometimes a basic web search just won't cut it. Claude goes deeper. Think comprehensive, reliable analysis with links to every source, making connections that otherwise might take me hours to find. Claude also has this feature called artifacts. It lets you build custom tools without needing to write a single line of code. Ready to tackle bigger problems? Get started with Claude today at Claude AI Clickhere. That's Claude AI Clickhere. And check out Claude Pro, which includes access to all of the features mentioned in today's episode. Claude AI Clickhere. Support for Click Here comes from Factor. Don't beat yourself up for not eating. Better eliminate the reasons you don't. If you're too busy to meal plan, let Factor deliver a healthy diet right to your door. No grocery shopping, cooking or cleanup. Just heat for two minutes and eat. Factor is designed by dietitians and ready made by chefs. Always fresh, never frozen, their meals are what you would make if you had the time. Lean proteins, healthy fats, colorful vegetables, and whole food ingredients. No refined sugars, artificial sweeteners, or refined seed oils. Personally, I love the ginger teriyaki burger. The sauce is awesome and so easy, even for super busy people. But you can choose from 100 rotating meals every week in categories like Calorie, Smart, Mediterranean and a new MusclePro collection for strength and recovery. Head to FactorMeals.com clickhere50OFF and use your code clickhere50OFF to get 50% off your first Factor box plus free breakfast for a year offer only valid for new Factor customers with code and qualifying auto renewing subscription purchase. Make healthier eating easy with Factor if

Jen White

there was a big red button that

Dena Temple Raston

would just demolish the Internet, I would

Jen White

smash that button with my forehead.

Matt O'Neill

From the BBC, this is the Interface,

Jen White

the show that explores how tech is rewiring your week and your world.

Josephine Wolff

This isn't about quarterly earnings or about tech reviews.

Jen White

It's about what technology is actually doing to your work, your politics, your everyday

Dena Temple Raston

life and all the bizarre ways people

Hugh (Vietnamese hacker)

are using the Internet.

Jen White

Listen on BBC.com or wherever you get

Dena Temple Raston

your podcast you're listening to click here. I'm Dina Temple Rast.

Jen White

Now back to today's installment of our Cyber Monday series. Joining us to talk about how we can better protect our personal data is Josephine Wolff. She's a professor of cybersecurity policy at Tufts University. Professor Wolff, welcome to the program.

Josephine Wolff

Thank you so much for having me.

Jen White

Also with us is Kevin Hamlin. He's a professor of computer science at the University of Texas, Dallas, where he directs the Cybersecurity Research and Education Institute. Professor Hamlin, it's great to have you.

Kevin Hamlin

Good to be with you. Thanks.

Jen White

And we heard from Carson, who writes this is a great segment. My father had his identity stolen while serving as Baltimore County Executive. It was someone across the country who had no idea who he was. It goes to show it's not always older adults or seniors. Everyone is at risk. Well, have you ever had your personal data stolen? And if so, how are you protecting your data? Now we're also taking your questions about how to prevent data theft. Email us@1aamu.org Professor Wolf, earlier we heard from a young hacker in Vietnam who stole and sold hundreds of thousands of people's private data. But I want to make sure we talk about the victims of this kind of theft. In what ways does having your data stolen affect your life both financially and emotionally?

Josephine Wolff

I think that there are a really wide range of impacts that we see. The most obvious of them are typically financial. You see fraudulent credit card charges, you see fraudulent bank accounts being opened in your name, loans taken out, things that can affect your credit score for years and years and years into the future, as well as your immediate finances. But the other piece of this that I think is worth bearing in mind is the anxiety, the stress, the amount of time that it takes to deal with all of this and to continue to worry even after you've started dealing with it, that it could resurface again. Because a lot of this information, like your Social Security number, like your bank account numbers, like your tax returns, isn't something that's like a credit card number where you can just cancel it and say, that's done. I don't have to worry about that anymore. And so people can be dealing with this for years and worrying about it for years and years.

Jen White

We got this from Jay, who writes, one of the best ways to protect yourself from data theft is to freeze your credit. The credit reporting business is broken, and there is no reason for anyone to have access to your credit report at any time. Freezing your credit is simple to do and prevents anyone from viewing your credit with without your explicit consent every time. Professor Hamlin, what other concrete steps can we take to prevent our data from being stolen and exploited?

Kevin Hamlin

Yeah, there are many steps that you can take that will at least make the criminal's job harder. I won't guarantee that it protects you from everything, but for example, whenever multi factor is available as a protection system. So multi factor is a defense where you don't just enter a password to enter a website. You also get a text on your phone or a message through your email. Some multiple different ways of verifying your identity. That just makes the criminal's job so much harder. You should always activate that when it's available. Don't reuse passwords between accounts. A lot of these data thefts involve stealing the credentials for one account. And if you share it between multiple accounts, then the criminals have access to all of them through that one credential that they've stolen. Distrust unsolicited communication. I can't tell you how many times I've interacted with people who received an email claiming to be from their bank. It looked very legitimate. It gave them the phone number to call. They call the number. But the whole email was a scam, including the phone number. So always do some sort of independent checking to figure out the right contact person for a contact like that. And I also want to really emphasize keep your software updated. So the statistics are that when a new vulnerability is discovered in software, it's typically weaponized by adversaries within about 48 hours. And that means that if your software is not up to date, you are vulnerable to attacks before it's updated.

Jen White

We got this from Wes, who writes in 2025, Doge or the so called Department of Government Efficiency, accessed Social Security data, transferred it to unsecured servers and sent the data to a variety of non governmental organizations. There's been reporting about this. Please comment on how severe this damage may be to people's personal data. Professor Wolff, what can you tell us?

Josephine Wolff

So I think the good news is that Social Security numbers, a lot of them are out there already. And so while this is always bad, there's perhaps not a huge amount of new damage that's gonna be done just with the Social Security number. On the other hand, a lot of what we see in the financial fraud space is putting that information together with other information about you. Right. A Social Security number on its own is not going to be enough for me to take out a line of credit in your name. But if you put that together with the information that's been accessed about you from various other places, your past addresses, your date of birth, other things, that can start to become a really powerful tool. And that's why you would worry about that kind of sort of lack of protection for Social Security numbers is less that on their own they're going to be really dangerous and more that they're going to be part of this larger picture of piecing together personal information about you that can be used to do a lot of damage.

Jen White

Well, much of your research, professor, will focuses on the aftermath of data breaches. What should people do after their data's been stolen?

Josephine Wolff

So I think the advice that you got from a caller about freezing your credit is really good advice. It's one of the first things I tell people as well that with all three of the main credit bureaus, you want to make sure that those files are frozen. So if somebody is putting in an inquiry, which they have to do, if they're opening up any kind of financial account in your name, that's a little bit harder to do. And I did this for my parents after the Equifax breach and then they were trying to buy a car and my father called me from the car dealership and said, we can't buy a car. So there are, there are inconveniences that come along with that, but I think they're really worth it given how powerful a tool that is. The other thing that we often talk about are various forms of identity theft monitoring, which also often come with some form of insurance. And so those are the kinds of services that will Notify you, hey, we saw this information about you for sale in some illegal online forum that on its own, you can't necessarily do a lot with, but it can make you a little bit more aware, a little bit more vigilant about some of the things that Professor Hamlin was talking about before. Making sure you're not responding to any kind of inquiry, making sure you're paying attention to your credit score and what's happening financially with your profile. And if there is some loss, then the insurance associated with the identity theft monitoring can also sometimes kick in and be helpful for compensating you for losses.

Jen White

Now, there is some proactive work happening to try to push back on this type of data theft. Professor Hamlin, you train what you call cyber ninjas who fight against malicious hackers. What are they trained to do and what role are they playing in this cybersecurity ecosystem?

Kevin Hamlin

Yeah, it's an interesting world we live in. I sometimes feel like people on the Internet are casually strolling through an active battlefield that they're sort of unaware of. And here at the Cyber Institute, we're training sort of the next generation of cyber warriors to go out there and try to detect this sort of fraud that's happening, find vulnerabilities in software, patch them before they get exploited. And it's just a constant race, it's almost an arms race, where the criminals of the world are trying to find the most advanced rapid methods for exploiting the most software. And meanwhile the defenders are racing around trying to find all of those potential vulnerabilities and closing them before they can be exploited. And this can range from simple sorts of social engineering style attacks where a criminal poses as somebody and manages to outwit them to get your password, to much more sophisticated things like ransomware and code reuse attacks where there are what are called o day vulnerabilities in major software products that attackers can exploit to hijack the product without your password and get lots of sensitive data.

Jen White

How often are you finding that your work, Professor Hamlin, intersects with national security concerns and that these may be criminal actors or criminal organizations, but they're working on behalf of a country or state.

Kevin Hamlin

Yeah, in a way. The good news is that our government is extremely active in this space. And in fact, most of the major threats that I encounter are encountered by at a governmental or a nation state level first. And then those technologies trickle down to run of the mill criminals and end consumers. And so, for example, a lot of my research involves federal contracting for agencies like darpa, Air Force, Navy where they're trying to develop incredibly strong cyber defenses against the most possible sophisticated attacks. And those are the sorts of attacks that an average consumer wouldn't encounter yet. But in 10 years, those are going to be the things that are on the table for the average citizen.

Jen White

We got this from Dan, who writes, a stalker purchased my information from a data broker and used it to harass both myself and members of my family. I now spend hundreds of dollars each year for a data removal service to scrub my information from the hundreds of data brokers who try to sell. And I know that doesn't even cover all of them. It is inexcusable that there aren't laws to regulate this. People should not face a financial burden simply to keep their information out of the hands of nefarious individuals and organizations. Hey, Professor Wolff, part of your research is into the aftermath of these data breaches and who bears the cost. So when large sums of money are stolen and someone has to pay, or there's a cost for trying to protect your information going forward, how are those costs spread around?

Josephine Wolff

So it depends a lot on how the money is stolen, right? If you think about something like a fraudulent charge on your credit card, you almost never pay for that personally because the bank that issued that card or the payment network covers those fraudulent charges. And when we look at other kinds of losses, that's not always as true. So if you think about something like ransomware, right, you're going to cover that cost yourself. Nobody's going to reimburse you for that unless you're carrying some, some personal cyber insurance coverage. Similarly, what this person's talking about, the costs of harassment, of being stalked, those are generally not things where you can rely on a financial institution to cover it. And it is, I think, the beginning of this still fairly small personal cyber insurance market where people are starting to understand what a wide range of costs there can be. One of the things that I would flag is we're seeing more criminals move towards the kinds of damage that they know are gonna be borne by individuals. Because if you commit credit card fraud, which is still a common occurrence, you know, you're up against these very powerful, very well resourced institutions that are gonna pay those costs and are eventually gonna say, you know what, we should put microchips in all the credit cards. Whereas you as an individual don't have the ability to kind of change the technology to make it more secure in that way.

Jen White

We're talking to cybersecurity experts Josephine Wolf and Kevin Hamlin. Professor Hamlin, what's Interesting is you. You say that even if we do everything right, we change our passwords, we update our software, that isn't always enough. Why not?

Kevin Hamlin

Yeah, it's this arms race between defenders and offenders has escalated, especially in recent years, so that now the AI revolution is sort of exacerbating everything. I think it was just last year an outfit called Cyber News reported that they had purchased or at least recovered a large database of stolen credentials on the Dark Web. And they reported that they found 60 billion login credentials in this database. That's around two login credentials per person on the planet. That means that when you ask, has your data ever been stolen, probably everyone listening to this can answer pretty confidently, yes. The only question is whether that data has been used, whether it's become obsolete, yet, whether you're protected against its exploitation. And that's because skilled adversaries go well beyond all of the typical defenses that we could offer to an average citizen. What you're really doing by following these good practices is just making the criminals lives harder. So criminals have to remain profitable, and if you make it difficult enough for them, they have to go through enough steps to steal your data that it's just not worth it anymore, Then you're protected against all sorts of fraud. And of course, the remaining threats, you're relying on the often unsung heroes like the Secret Service agent in that story who went off and actually pursued aggressively, a data broker who was profiting off

Hugh (Vietnamese hacker)

of all of this.

Dena Temple Raston

This.

Jen White

Well, earlier we spoke to former FBI Special Agent Kayla Staff. She specialized in cyber, criminal, cyber, and counterterrorism cases. And here she is talking about working under the second Trump administration.

Josephine Wolff

So the direction started out as we're going to have a few people that will be our liaisons with ICE or ero, and then it becomes, now we need volunteers to do rotations with ICE

Jen White

and ero, and these are locations to go out and detain people.

Dena Temple Raston

Correct. Which obviously takes us away from the

work that we're trained to do, what we specialize in.

Jen White

So, Professor Wolf, she was explaining that she's been draw. She was drawn away from the work of protecting the American people from cyber crime. So, briefly, what more would you like to see, either at the state or federal level, to better protect us and our data?

Josephine Wolff

So I think that there's a hugely important role for the work that you heard about earlier in actually tracking down the perpetrators of this kind of crime and holding them accountable. It's already a very asymmetric fight because we don't have enough resources even before they were being taken away from this issue, to go after all of the people who are involved in these criminal groups. And we often have a lot of hurdles, as you heard about, in sort of getting them to a place where we can actually arrest them and all of that. And the other thing I think we need is to be thinking really seriously about the ways we rely on personal data to allow people to open financial accounts in our name and whether there are alternative models for that that can rely on stronger protection.

Dena Temple Raston

That was part of our conversation with one a host, Jen White, and Josephine Wolf, a professor of cybersecurity policy at Tufts University. We also heard from Kevin Hamlin, a computer science professor at the University of Texas at Dallas. You can hear the full segment@wamu.org Click here is a production of Recorded Future News and PRX. Today's show was written and produced by Megan Dietrich, Sean Powers, Erica Gaeda, Zach Hirsch and Casey Giorgi. Special thanks this week to one a host, Jen White and producer Haley Blasingame. Click Here is edited by Karen Duffin and Sarah Covedo and Fact Checked by Darren Ancrum. Original music is by Ben Levingston with additional music from Blue Dot Sessions. Our staff writer is Lucas Riley, our illustrator is Megan Gough, and our sound designers and engineers are Jake Cook and Jesse Nislonger. We'll be back on Friday. Thanks for listening. Museums are more than places we visit on a field trip across the country. Museums protect our shared history, care for wildlife and collections, strengthen local economies, support job training, and spark curiosity in people of all ages. Right now, you can help make sure museums stay strong for future generations. Museum Advocacy Day is a national moment when people contact Congress to ask for continued support for museums and the federal agencies that fund them. Learn how to take action@aam-us.org and tell your representatives that museums matter to education, to communities, to the economy, and to our democracy.

Jen White

If you're looking for a daily guide to cybersecurity news and policy, sign up for the Cyber Daily from Recorded Future News. It serves up the day's most interesting and important cyber stories from our sister publication the Record, and then aggregates all of the big cyber stories you might have missed from news outlets around the world. Just go to TheRecord Media and click on Cyber Daily to get all you need to know about the world of cybersecurity right in your inbox.