Advertisement

DOGE employees uploaded Social Security database to ‘vulnerable’ cloud, agency whistleblower says

An SSA spokesperson maintained the agency is “not aware of any compromise” to the cloud environment referenced in the complaint from the agency’s chief data officer.
Listen to this article
0:00
Learn more. This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment.
Social Security cards, Social Security Administration (SSA)
(Getty Images)

Department of Government Efficiency members stored a copy of a massive Social Security Administration database in a “vulnerable” custom cloud environment, putting more than 300 million people’s personal information at risk, the agency’s chief data officer said in a new whistleblower complaint. 

The complaint, filed with Congress on Tuesday, revealed new concerns from CDO Charles Borges about “serious data security lapses” allegedly involving DOGE officials working at the SSA. 

According to the complaint, those officials, under the direction of SSA Chief Information Officer Aram Moghaddassi, granted themselves permission to copy Americans’ Social Security information onto a cloud server with no verified oversight, violating agency protocols. 

“This vulnerable cloud environment is effectively a live copy of the entire country’s Social Security information from the Numerical Identification System (NUMIDENT) database, that apparently lacks any security oversight from SSA or tracking to determine who is accessing or has accessed the copy of this data,” the Government Accountability Project wrote on behalf of Borges in the complaint. 

Advertisement

The NUMIDENT data includes all the information applicants use for a Social Security card, including their name, phone number, address, place and date of birth, parents’ names and Social Security numbers along with other personal information. 

“Should bad actors gain access to this cloud environment, Americans may be susceptible to widespread identity theft, may lose vital healthcare and food benefits, and the government may be responsible for re-issuing every American a new Social Security Number at great cost,” the complaint warned. 

Borges, who specializes in data analytics, became SSA’s CDO in late January, after stints at the General Services Administration, Centers for Disease Control and Prevention and the Office of Management and Budget. 

The new details follow a string of incidents regarding DOGE’s access to SSA systems, which often hold personally identifiable information and present a higher security risk than other civilian agencies. 

Multiple groups sued SSA and its leaders for allowing DOGE’s access to the agency’s systems earlier this year, resulting in a temporary restraining order and injunction that was extended to early June. But the Supreme Court sided with DOGE in June, granting the efficiency unit access to SSA’s records. 

Advertisement

Shortly after the Supreme Court ruling, an unnamed career official in the Office of the Chief Information Officer shared a “Risk Acceptance Request Form” with Moghaddassi and an SSA career executive after they requested access to their “own virtual private cloud” within SSA’s Amazon Web Services cloud infrastructure, according to the complaint. 

The CIO official pointed out the request was “high-risk,” due to the inclusion of NUMIDENT data, per the complaint. Still, less than two weeks later, CIO officials approved DOGE’s administrative access to the cloud environment, though they said further discussions were needed before approving the request to transfer the NUMIDENT data to the cloud. 

The issue was elevated to Michael Russo — a DOGE-affiliated official who briefly served as SSA’s CIO in February — who eventually approved the transfer request, according to the complaint. 

Weeks later, Moghaddassi requested a provisional authorization to operate for the cloud project, arguing “the business need is higher than the security risk.” 

The complaint stated Borges was later informed that no verified audit or oversight process was in place for the DOGE cloud environment and no one outside the DOGE staffers “had insight” into the code being used in the process. As of the time of the complaint’s publication, Borges had not heard back from multiple DOGE-affiliated staff at SSA regarding his data security concerns. 

Advertisement

“Mr. Borges reasonably believes that this approval constitutes gross mismanagement, abuse of authority, violation of law, and substantial and specific threat to public health and safety,” the complaint wrote. 

A spokesperson for the SSA said the agency and Commissioner Frank Bisignano “take all whistleblower complaints seriously” and maintained the agency stores “all personal data in secure environments that have robust safeguards.” 

“The data referenced in the complaint is stored in a long-standing environment used by SSA and walled off from the internet,” the spokesperson said. “High-level career SSA officials have administrative access to this system with oversight by SSA’s Information Security team. We are not aware of any compromise to this environment and remain dedicated to protecting sensitive personal data.”

Miranda Nazzaro

Written by Miranda Nazzaro

Miranda Nazzaro is a reporter for FedScoop in Washington, D.C., covering government technology. Prior to joining FedScoop, Miranda was a reporter at The Hill, where she covered technology and politics. She was also a part of the digital team at WJAR-TV in Rhode Island, near her hometown in Connecticut. She is a graduate of the George Washington University School of Media and Pubic Affairs. You can reach her via email at miranda.nazzaro@fedscoop.com or on Signal at miranda.952.

Latest Podcasts