Article Details

DOGE accused of duplicating critical Social Security database on unsecured cloud. Remember that cost-cutting group once led by Elon Musk? Federal employees are still dealing with it. A Social Security Administration employee has filed a whistleblower complaint alleging that Donald Trump's DOGE cost-cutting unit has put the records of every single American at risk by duplicating an agency database in an unauthorized cloud environment.  It's not just any SSA flunkie making the accusations either. The complaint, filed today by the Government Accountability Project (GAP), comes from the SSA's own chief data officer, Charles Borges, who has been in the position since January, capping off a more than 30 year government IT career that began with 22 years in the US Navy.  DOGE, which is not an official government agency approved by Congress, was established through an executive order from President Trump, and was initially led by Tesla impresario and centibillionaire Elon Musk before the two had a public falling out. Along the way, federal employees and investigators complained that the informal body, which was led and staffed in large part by young Musk acolytes with no government experience, moved aggressively and often without respect for established protocols, congressional oversight and, in some cases, the law. Most damningly, Borges alleges DOGE took the NUMIDENT database, which "contains all data submitted in an application for a United States Social Security card," and reproduced it in a test cloud environment that wasn't managed by the SSA and was "lacking independent security controls." The database was copied in June, according to the complaint, and the only people who had administrator access to the duplicate were two DOGE employees - not the Division of Infrastructure Services admins that the SSA requires to manage its digital services.  Borges claimed that he received reports that the NUMIDENT copy's cloud environment had "no verified audit or oversight mechanisms," and that no one outside DOGE had insight into any code being executed against the data.  According to the complaint, the ramifications of the NUMIDENT copy getting into malicious hands would be catastrophic. "Should bad actors gain access to this cloud environment, Americans may be susceptible to widespread identity theft, may lose vital healthcare and food benefits, and the government may be responsible for re-issuing every American a new Social Security Number at great cost," Borges' lawyers wrote. But that's not his only gripe – according to Borges, DOGE's bad behavior at the SSA goes back months. The complaint discloses three instances in which DOGE committed "systemic data security violations" as well as "potential violations of internal SSA security protocols and federal privacy laws."  In the first of these instances, Borges claims the SSA granted DOGE officials "improper and excessive access" to the agency's enterprise data warehouse beginning in March. Approval for the access reportedly bypassed the normal systems access management system in use at the SSA, the complaint alleges, and the accounts also had equipment-level PIN access and write access to the data lake, meaning that they could make changes using a generic device access code that isn't connected to a particular human user.  In March, a judge banned DOGE from accessing SSA systems. But, the complaint alleges that, "Within 24 hours of the court-ordered revocation, DOGE officials appeared to have circumvented the judicial mandate." Access was allegedly restored by "senior career enterprise data warehouse officials" who "received instructions to undo the court-ordered access restrictions," and gave the DOGE staffers elevated rights compared with their initial access. A later legal ruling in June restored DOGE's access anyway. Borges claims in the complaint that he had to find information about these problems on his own accord, as DOGE declined to involve him in the matters he's calling out. Supporting documentation for Borges' claims are included in the report, but are redacted from the public version. The Social Security Administration told The Register that it wasn't aware of any compromise of the DOGE NUMIDENT environment, and that it takes all whistleblower complaints seriously. "SSA stores all personal data in secure environments that have robust safeguards in place to protect vital information," an SSA spokesperson told us in an email. "High-level career SSA officials have administrative access to this system with oversight by SSA's Information Security team." The SSA added that the data referenced in the complaint is stored in an environment that is "walled off from the internet," though it's not clear how isolated the database actually is if it has a live copy living in an unmanaged cloud environment. We asked the SSA that question as a follow up, but didn't hear back.  As for what comes next for the complaint, the GAP, who is representing Borges in the complaint, told us that the Office of Special Council has 45 days to review the complaint before deciding how to act next.  Unfortunately, the OSC's job is only to determine whether the complaints are substantially likely, and then hand the matter off to the agency involved for it to perform its own investigation. In other words, this is entirely up to the SSA to resolve. They're required to report back to the OSC, and Borges would be given a chance to issue a response, but it's ultimately up to those who might be violating the rules to investigate the alleged violation.  The OSC didn't respond to questions for this story.