DOGE duo ducked security rules during Treasury stint, GAO finds

Two DOGE associates dispatched to the Treasury Department in the early days of the second Trump administration flouted various IT security rules while the agency itself fell short on implementing proper cyber controls, a new watchdog report found.

The Government Accountability Office examined access that a pair of DOGE staffers had to Bureau of the Fiscal Service payment systems from Jan. 20-April 11, 2025. The audit aimed to determine what the DOGE duo planned to do with BFS systems, and if they followed Treasury protocols on data security. DOGE’s access to those systems has been the subject of litigation.

Preliminary results of GAO’s “ongoing work” involving DOGE revealed that one representative from the Elon Musk-created tech collective had access to three BFS systems — where the federal government disburses federal income tax refunds, benefits, salaries and many other payments. Foreign aid payments were at the center of much of DOGE’s activity. 

That employee was able to view, copy and print data from those systems, per the report, in addition to being “inadvertently granted temporary access to create, modify, and delete data” for one of the systems. The watchdog found no evidence of changes to data.

Beyond unintentional security slips, the GAO found a series of moves by DOGE that skirted IT security rules set for BFS usage: One staffer did not encrypt the personally identifiable information of 350 individuals listed for USAID payments that was sent to another agency via an Excel file; that DOGE representative then used their Treasury email address to send the file to the other DOGE staffer’s BFS email; and an unencrypted file of the data was then sent to two DOGE members at the General Services Administration.

“According to BFS officials, employee B did not obtain approval from the bureau to send this information outside the agency,” the report stated. “BFS officials also reported that they discussed the event with their Privacy Office and considered the disclosure of PII to be ‘low risk’ because it did not contain other, more sensitive, information that could be associated with the specific individuals on the list (e.g., Social Security number, address, and date of birth).”

Treasury officials could not provide documentation to the GAO that confirmed that the Privacy Office agreed with the agency’s determination.

The GAO didn’t spare Treasury and BFS officials from blame for some DOGE security lapses. The BFS, for example, did not fully implement all selected cybersecurity controls on payment systems. Additionally, one of the DOGE staffers was “never informed of or agreed to their postemployment data protection requirements at the time of their departure from the agency.”

Because of that lack of communication, that DOGE worker left the agency with an interim security clearance that enabled them to access “multiple BFS systems containing sensitive federal payment information.” 

“Until the bureau establishes and implements a process for conducting exit interviews and signing post-employment documentation in cases where individuals with access to payment systems leave unexpectedly, it will have less assurance that these individuals will appropriately protect this sensitive information,” the report said.

The GAO delivered six recommendations to the BFS around the implementation of cyber controls and addressing various security weaknesses. The office agreed with three and didn’t say whether it agreed with the other three. 

“Until Treasury and BFS fully establish and implement controls for overseeing users with broad access to payment systems, this important information will be at a greater risk of improper access, modification, disclosure, or misuse,” the watchdog concluded.