Social Security officials say they have become whistleblowers. Members of the Trump administration’s Department of Government Efficiency (DOGE) have uploaded hundreds of millions of social security records to vulnerable cloud servers, putting most Americans’ personal information at risk of compromise.
Social Security Agency chief data officer Charles Borge said in a newly released whistleblower complaint released Tuesday that other top agency officials signed a decision in June to upload “a live copy of the country’s social security information that avoids surveillance” despite raising concerns.
The database, known as the Numerical Identification System, contains over 450 million records containing all data submitted as part of the Social Security application, including the applicant’s name, birthplace, citizenship, family Social Security numbers, and other sensitive personal and financial information.
Borges said Doge members are a team of former Elon Musk employees appointed by the government under the guise of reducing fraud and waste, and it says that it “seems to lack independent security controls” of sensitive databases, including those who had access to the data and how they used it.
The lack of security protections violated internal agency security controls and federal privacy laws, the complaint alleges.
Borges said that by allowing Doge to become an institution’s cloud administrator, Doge operatives can create “publicly available services.”
In a complaint, Borges warned that if this information was compromised, it could be “sensitive.” [personally identifiable information] It can be publicly available and widely shared in all America, including health checks, income levels, banking information, family relationships and personal biographies. ”
The complaint states that compromise or unauthorized access to the database will have a “devastating effect” on the US Social Security program, and explains that the worst-case scenario could reissue the Social Security numbers for all.
A federal restraint order in March initially blocked Doge staff from accessing the country’s social security records database, but the Supreme Court lifted the order on June 6, paving the way for Doge access.
Over the next few days, Doge allegedly worked to seek internal approval from the agency’s Top Brass, according to a Borges complaint.
Alam Mogadashi, the agency’s chief information officer, approved the move to copy the database to the institution’s cloud, saying that “we determined that the business needs are higher than the security risks,” and that he would accept “all risks” in the project. Michael Russo, formerly former chief information officer of the agency before Mogadashi, has remained at the agency, and has also approved the move of live social security data to the cloud, according to the complaint.
Borges said he first raised the issue internally at the agency, but later blew whi to urge members of Congress to “engage in immediate surveillance to address these serious concerns,” according to a statement from his lawyer Andrea Meza on the Government Accountability Project.
This is the latest accusation of poor cybersecurity practices by the administration and its representatives since President Trump took office in the beginning of January. Since January, DOGE members have fundamentally managed datasets of most US federal departments and citizens.
When contacted TechCrunch, White House spokesman Elizabeth Huston would not have said whether the administration had recognized the complaints and postponed comments to the Social Security Agency.
In an emailed response, Social Security Agency spokesman Nick Perrine said the agency will “store personal data in a secure environment with robust safeguards to protect important information.”
“The data referenced in the complaint is stored and surrounded by the Internet in the long-standing environment used by SSA. High-level carrier SSA personnel have administrative access to this system through surveillance by the SSA’s information security team,” the spokesman added.
A spokesperson said the agency “doesn’t know of any compromise on this environment.”
Data breaches that contain federal data stored in the cloud are rare, but not unheard of. In 2023, TechCrunch reported that the US Department of Defense had published thousands of sensitive military emails online as security expired. Email data was stored in separate Microsoft Azure clouds dedicated to government customers, but misunderstanding allowed military unit email contents to be made public online.
Fix: An earlier version of this story incorrectly stated where the published emails for DOD were hosted. The story accurately reflects that exposed data is hosted on Microsoft’s Azure.
Source link
