doge uploaded live copy of social security database to ‘vulnerable’ cloud server, says whistleblower

Whistleblower Alleges Social Security Data at Risk

A high-ranking official within the Social Security Administration has come forward as a whistleblower, alleging that personnel from the Department of Government Efficiency (DOGE) transferred hundreds of millions of Social Security records to a cloud server with known vulnerabilities.

Details of the Allegation

Charles Borges, the Social Security Administration’s chief data officer, detailed his concerns in a recently published whistleblower complaint. He asserts that agency leaders authorized the upload of a complete copy of the nation’s Social Security information to a cloud environment in June, despite his expressed reservations.

This database, formally known as the Numerical Identification System, holds over 450 million records. These records encompass all data submitted during a Social Security application, including applicant names, birthplaces, citizenship status, and Social Security numbers of family members.

Concerns Regarding Security

Borges indicates that DOGE members, comprised of former employees of Elon Musk, copied the sensitive database to an Amazon-hosted cloud server managed by the agency. This server, he claims, lacked essential independent security controls.

Specifically, there were insufficient measures to monitor who was accessing the data and how it was being utilized. This absence of security protocols reportedly violated both internal agency guidelines and federal privacy regulations.

Potential for Public Access

According to the complaint, granting DOGE administrative access to the agency’s cloud infrastructure could have enabled the creation of “publicly accessible services.” This would potentially allow unrestricted public access to the cloud system and the sensitive data it contained.

Borges cautioned that a compromise of this information could expose the personally identifiable information of every American, including health records, income details, banking information, family connections, and biographical data.

Potential Consequences of a Breach

The complaint emphasizes that any compromise or unauthorized access to the database would have a “catastrophic impact” on the U.S. Social Security program. A worst-case scenario could necessitate the reissuance of Social Security numbers for all citizens.

Timeline of Events

A federal restraining order initially prevented DOGE personnel from accessing Social Security records in March. However, the Supreme Court lifted this order on June 6th, allowing DOGE access to the data.

Following the lifting of the order, DOGE allegedly sought and obtained internal approvals from agency leadership to proceed with the data transfer.

Approvals Granted

Aram Moghaddassi, the agency’s chief information officer, approved the database transfer, stating that the “business need” outweighed the “security risk” and accepting “all risks” associated with the project.

Michael Russo, a senior DOGE operative and former agency chief information officer, also reportedly approved the move of live Social Security data to the cloud.

Whistleblower Action

After raising concerns internally, Borges acted as a whistleblower to urge Congressional oversight of these issues, as stated by his attorney, Andrea Meza, of the Government Accountability Project.

Broader Concerns

This incident represents the latest in a series of accusations regarding inadequate cybersecurity practices by the administration and its representatives, including DOGE, since President Trump’s inauguration.

Since January, DOGE members have reportedly assumed significant control over most U.S. federal departments and their citizen data sets.

Official Responses

The White House, through spokesperson Elizabeth Huston, declined to comment directly on the complaint and referred inquiries to the Social Security Administration.

Nick Perrine, a Social Security Administration spokesperson, stated that the agency “stores personal data in secure environments that have robust safeguards in place to protect vital information.”

He further clarified that the data in question is stored in a long-standing, secure environment isolated from the internet, with access limited to high-level SSA officials under the supervision of the agency’s Information Security team.

The agency maintains that it is unaware of any compromise to this environment.

Precedent for Cloud-Based Breaches

While uncommon, data breaches involving federal government data stored in the cloud have occurred. In 2023, TechCrunch reported a security lapse at the U.S. Department of Defense that resulted in the public exposure of thousands of sensitive military emails.

This exposure occurred due to a misconfiguration within Microsoft Azure, a cloud platform dedicated to government customers, allowing the contents of a military unit’s emails to become publicly accessible.

Correction

An earlier version of this report incorrectly stated the hosting location of the Department of Defense’s exposed email data. The information has been corrected to accurately reflect that the data was hosted on Microsoft’s Azure platform.