SSA chief’s response to whistleblower complaint: database was not accessed in ‘any unauthorized fashion’

Social Security Administration Commissioner Frank Bisignano told Congress that no information from an agency database has been accessed or leaked, disputing a whistleblower complaint from the former chief data officer that has led to mounting questions about SSA’s data security. 

In a letter sent Tuesday to Senate Finance Committee Chair Mike Crapo, R-Idaho, Bisignano said the SSA consistently monitors its systems for “signs of unauthorized access or data compromise” and did not find any related issues involving its Numident database. 

It comes weeks after the agency’s now-former chief data officer published a whistleblower complaint alleging staff affiliated with the Department of Government Efficiency stored a copy of the agency’s massive Numident database and uploaded it to a “vulnerable” custom cloud environment without proper authorization. 

The complaint sparked a flurry of questions about the agency’s data protection practices and whether any information from the Numident database was at risk of being hacked or leaked. Crapo sent a letter last week to Bisignano, asking for information on whether the Numident data was compromised and what actions the agency took following the whistleblower report. 

The Numident database includes all the information applicants use for a Social Security card, including names, phone numbers, addresses, dates of birth, parents’ names and Social Security numbers, along with other personal details.

Responding to Crapo’s concerns, Bisignano maintained that SSA complies with FISMA requirements, which mandate that federal agencies have comprehensive information security programs. He said SSA follows the framework for all of its information systems, including those with personally identifiable information such as the Numident database.

The SSA chief also laid out the process the agency took after whistleblower Charles Borges raised concerns about the integrity of data at the SSA. 

Borges, who resigned days after filing the complaint, claimed his repeated requests for attention to his concerns were “rebuffed or ignored” by agency leadership, and that some employees were instructed not to respond to his inquiries. 

According to Bisignano, SSA designated two executives to interview Borges after he first raised his concerns and the agency convened “key staff” — including the acting chief information security officer, chief information officer and chief legal counsel — to review the allegations. 

“The Acting CISO assessed the allegation that Numident data was stored in an unsecured cloud environment and determined it was unfounded,” Bisignano wrote. “The location referred to in the whistleblower allegation is actually a secured server in the agency’s cloud infrastructure, which historically has housed this data and is continuously monitored and overseen—SSA’s standard practice.”

“Prior to Mr. Borges originally raising his concerns to relevant executives in his component on August 6, 2025, he did not communicate with his peers in the security, data, and infrastructure groups who have oversight over these issues. Accordingly, they were not aware of the substance of his concerns,” he continued. 

In his initial complaint, Borges said the DOGE-affiliated staffers requested access to their “own virtual private cloud” within Amazon Web Services’ cloud infrastructure, which was allegedly the landing spot for the data. 

When asked why the SSA selected AWS to be its cloud service provider, Bisignano said the agency was using the system in late 2015 to early 2016 and followed federal procurement requirements. He noted AWS is a FedRAMP cloud provider and was the “most attractive option for cloud services.” 

He later said all employees go through a vetting process before getting access to agency information systems, stating the procedure in question “did not diverge from standard agency processes.” 

“SSA never transferred the Numident database to a private cloud server within SSA’s AWS cloud. SSA does not have a private cloud within its secure AWS,” Bisignano wrote.