GOP senator presses SSA over data protections following whistleblower complaint

A Republican lawmaker is pressing the Social Security Administration on its data storage and security practices after an agency whistleblower came forward last month, alleging Department of Government Efficiency staff compromised Americans’ personal, sensitive information. 

Senate Finance Committee Chair Mike Crapo, R-Idaho, sent a letter to SSA Commissioner Frank Bisignano on Wednesday, requesting immediate information on any actions the agency took upon hearing the whistleblowers’ concerns, writing that the amount of sensitive data under the agency is a “matter of first importance.” 

“Please inform the Committee on Finance immediately upon receipt of this letter whether the Numident database itself or any data contained in the Numident was accessed, leaked, hacked, or disseminated in any unauthorized fashion,” Crapo wrote. 

It comes about two weeks after Charles Borges, the agency’s former chief data officer, filed a whistleblower complaint alleging DOGE members, under the direction of SSA Chief Information Officer Aram Moghaddassi, permitted themselves to copy Americans’ Social Security information onto a cloud server. 

Borges, who has since resigned from his role, stated that this was a “vulnerable cloud environment” that now contains a live copy of the agency’s Numerical Identification System (Numident) database. 

The Numident data includes all the information applicants use for a Social Security card, including their name, phone number, address, date of birth, parents’ names and Social Security numbers, along with other personal information. 

Crapo said he must take “very seriously every allegation by a protected whistleblower,” adding that “given the large amount of sensitive data under SSA’s control, I consider the protection and security of PII held by the agency to be a matter of first importance.” 

Crapo asked Bisignano to explain the security measures or oversight mechanisms in place to ensure the sensitive data is appropriately handled, along with how SSA assessed the risk of giving certain employees the ability to transfer data from the Numident database. 

He also inquired about when the agency first stored the data in the environment and the reasoning behind choosing Amazon Web Services as SSA’s cloud service provider. 

Bisignano was given two weeks to respond to the letter. 

In his resignation letter, Borges said he could not verify that agency data is being used in accordance with legal agreements or federal requirements. He said his repeated requests for attention to his concerns were rebuffed or ignored and that some employees were instructed not to respond to his inquiries. 

When reached for comment, a spokesperson for SSA reiterated that the agency “stores all personal data in secure environments that have robust safeguards in place to protect vital information.”

“The data referenced in the complaint is stored in a long-standing environment used by SSA and walled off from the internet,” the spokesperson said. “High-level career SSA officials have administrative access to this system with oversight by SSA’s Information Security team. We are not aware of any compromise to this environment and remain dedicated to protecting sensitive personal data.”

The SSA has faced mounting scrutiny in recent months over DOGE’s access to agency systems. Multiple groups sued SSA and its leaders for permitting DOGE’s access to the SSA systems earlier this year. A judge issued a temporary restraining order and injunction that was extended to early June. The Supreme Court later sided with DOGE, granting the efficiency unit access to SSA’s records.