A whistleblower disclosure filed today alleges that the Department of Government Efficiency (DOGE) within the Social Security Administration (SSA) covertly created a live copy of the nation’s entire Social Security dataset in an unsecured cloud environment.
Chief Data Officer Charles Borges warned that, if malicious actors gain access, over 300 million Americans could face identity theft, loss of critical benefits, and the monumental task of re-issuing every Social Security number.
Key Takeaways
1. DOGE copied 300M SSNs into an unsecured AWS cloud.
2. An automated ETL pipeline synced live SSN data despite a court order.
3. The lapse risks mass identity theft and demands zero-trust security.
Allegations of Unsecured Cloud Storage
According to the protected disclosure submitted to the U.S. Office of Special Counsel, DOGE officials bypassed standard Information Security and Compliance (ISC) controls, including encryption-at-rest, role-based access control (RBAC), and continuous audit logging, when provisioning a cloud instance containing live Social Security Number (SSN) records.
Borges notes that neither independent vulnerability assessments nor penetration tests were conducted before spinning up the Amazon Web Services (AWS) S3 bucket storing PII, nor were strict Identity and Access Management (IAM) policies enforced.
The cloud environment lacked multi-factor authentication (MFA) on API endpoints and did not employ a secure key management service (KMS), rendering the SSN repository vulnerable to credential stuffing or API key leakage.
Court records show that a lawsuit filed in March 2025 resulted in a temporary restraining order preventing DOGE from accessing production SSN systems until June 6, 2025.
However, internal logs reviewed by Borges indicate that DOGE engineers continued to synchronize data via an automated ETL pipeline—using Python scripts and the SSA’s internal RESTful APIs, effectively cloning the live database outside SSA’s Security Operations Center (SOC).
Borges claims that DOGE’s actions constitute serious mismanagement and abuse of authority by bypassing the SSA’s Change Management Board (CMB) and violating federal Cloud Security advice (NIST SP 800-144).
“This operation not only breaches the Privacy Act but also exposes the public to a significant cyber-attack surface,” Borges wrote in his internal memo.
One SSA executive reportedly acknowledged the risk, stating that the agency might need to re-issue SSNs en masse should the data be compromised.
Andrea Meza, counsel for the whistleblower, urged Congress and the Office of Special Counsel to launch immediate oversight.
She emphasized that mitigation measures such as enforcing zero-trust architecture, rotating access keys, and deploying real-time intrusion detection systems (IDS) must be implemented without delay to protect Americans’ most sensitive identifiers.
Source link
