Personal details belonging to hundreds of millions of U.S. citizens are in jeopardy, a whistleblower report from the Social Security Administration’s chief data officer reveals, after the Department of Government Efficiency transferred a large Social Security database to a cloud server this past June.
This susceptible DOGE server holds data for every American who has sought a Social Security card, encompassing applicants’ names, birthdates, nationalities, ethnic backgrounds, contact numbers, residential addresses, and other private particulars, thus potentially jeopardizing the safety of more than 300 million Americans, as outlined in the complaint filed by Charles Borges to the Office of Special Counsel and Congressional representatives.
“If malicious parties acquire entry to this cloud setting, Americans could become vulnerable to extensive identity theft, might forfeit crucial healthcare and food aid, and the government could face the responsibility of reissuing a new Social Security Number to every American at significant expense,” the filing states.
Which database did DOGE purportedly duplicate?
DOGE moved Social Security data from the Numerical Identification System (NUMIDENT) database to an internal server exclusively accessible by DOGE, the complaint asserts.
NUMIDENT contains all required information on applications for a United States Social Security card. Nearly Social Security numbers had been issued as of earlier this month.
What are the potential dangers for Americans?
Responding to inquiries concerning Borges’ claim that DOGE duplicated sensitive NUMIDENT data onto an insecure server, the Social Security Administration informed TIME in a declaration that “Commissioner Bisignano and the Social Security Administration thoroughly review all whistleblower allegations.”
The statement continued, asserting that “SSA keeps all personal data within protected environments featuring strong safeguards to secure crucial information. The data mentioned in the complaint resides in an established SSA-utilized environment, isolated from the internet. Senior career SSA personnel possess administrative access to this system, supervised by SSA’s Information Security team. We have no knowledge of any breach to this environment and stay committed to safeguarding sensitive personal data.”
However, the whistleblower’s submission, submitted by attorneys from the Government Accountability Project, an organization dedicated to protecting whistleblowers, points out worries regarding the server’s absence of “independent security controls,” which encompasses “separate monitoring of who is accessing the data and its usage.”
Borges’ assertion further specified that “no authenticated audit or supervisory procedures were in place” for the DOGE server.
“I haven’t witnessed this type of mismanagement from the federal government before,” stated Susan Landau, a cybersecurity and policy professor at Tufts University, describing the purported action of endangering such sensitive data as a “reckless maneuver.”
Should this information become accessible, con artists could more plausibly coerce or mislead people, Landau explained.
She detailed that if malicious individuals obtained an individual’s NUMIDENT data, they could readily discover other personal information sources and construct a comprehensive profile of the person, which might then be exploited to impersonate official bodies like banks, or entice individuals into pyramid schemes.
Landau additionally cautioned about the potential for damage if countries like China or Russia managed to access DOGE’s Social Security cloud.
“I am aghast,” Landau further remarked. “For the past two decades, the federal government has genuinely strived to safeguard this data. Currently… what seems to be occurring is the centralization of increasingly more data in a single location. This is an unsound security approach. And placing it on an unprotected server is utterly preposterous.”
Herbert Lin, a cyber policy and security fellow at Stanford University, voiced apprehension regarding the expansion of access to Social Security data to DOGE employees, noting it’s no longer exclusively available via federal channels.
“The situation has deteriorated because more individuals now have potential access to it,” Lin stated. “I am unaware of their hiring practices, and if anyone knows, please inform me. But that is the core problem.”
Lin also identifies the legality of DOGE’s capacity to intervene with federal agencies as a crucial point in the transfer of data previously safeguarded exclusively by the Social Security Administration.
“To clarify, the fact that its authority is not derived from a Congressional act is significant to me,” Lin commented. “I believe it ought to be significant to everyone.”
What is the government’s reaction?
Borges’ filing details his internal whistleblowing efforts, noting he informed his superiors that reissuing Social Security Numbers to U.S. citizens whose data had been compromised represented a “worst-case scenario.” Despite his numerous internal objections, Borges has not acquired data to “demonstrate that the cloud environment housing the American public’s NUMIDENT information is secured by independent security controls adhering to best practices and industry standards,” the report indicates.
The Office of General Counsel has, furthermore, instructed staff not to answer Borges’ repeated questions concerning the security and hazards of the DOGE Social Security server, the complaint asserts.
Borges is slated to convene with an oversight committee and Congressional representatives to deliberate his discoveries.
TIME has contacted DOGE seeking a statement.