A Social Security Administration (SSA) official alleged in a whistleblower disclosure that DOGE officials created "a live copy of the country's Social Security information in a cloud environment that circumvents oversight."
Chuck Borges, the SSA's Chief Data Officer (CDO), "has become aware through reports to him of serious data security lapses, evidently orchestrated by DOGE officials, currently employed as SSA employees, that risk the security of over 300 million Americans' Social Security data," the Government Accountability Project said in a letter sent today to members of Congress and the US Office of Special Counsel. The nonprofit Government Accountability Project is representing Borges.
Although it has been widely reported that DOGE sought and obtained access to Social Security records in its attempt to find evidence of fraud, the letter to lawmakers said the live copy of SSA's database hasn't previously been disclosed. DOGE's actions were taken "under the authority of SSA Chief Information Officer (CIO) Aram Moghaddassi" and violate SSA protocols and policies, the letter said.
There could be severe consequences if the database copy is breached, the letter said:
This vulnerable cloud environment is effectively a live copy of the entire country's Social Security information from the Numerical Identification System (NUMIDENT) database, that apparently lacks any security oversight from SSA or tracking to determine who is accessing or has accessed the copy of this data. NUMIDENT contains all data submitted in an application for a United States Social Security card—including the name of the applicant, place and date of birth, citizenship, race and ethnicity, parents' names and social security numbers, phone number, address, and other personal information. Should bad actors gain access to this cloud environment, Americans may be susceptible to widespread identity theft, may lose vital healthcare and food benefits, and the government may be responsible for re-issuing every American a new Social Security Number at great cost.
SSA denies security problem
In a statement provided to Ars today, the SSA denied storing data in an insecure environment and said it is not aware of any compromise.
"Commissioner [Frank] Bisignano and the Social Security Administration take all whistleblower complaints seriously," the agency said. "SSA stores all personal data in secure environments that have robust safeguards in place to protect vital information. The data referenced in the complaint is stored in a long-standing environment used by SSA and walled off from the Internet. High-level career SSA officials have administrative access to this system with oversight by SSA's Information Security team. We are not aware of any compromise to this environment and remain dedicated to protecting sensitive personal data."
The Government Accountability Project letter quoted a July 15 email in which Moghaddassi allegedly authorized the NUMIDENT cloud project. "I have determined the business need is higher than the security risk associated with this implementation and I accept all risks associated with this implementation and operation," Moghaddassi was quoted as saying.
Borges alleges that the authorization was an "abuse of authority" and "gross mismanagement," and that the creation of the cloud environment potentially violated multiple federal laws. "By knowingly placing a High-Value Asset containing data on over 450 million people in an uncontrolled environment, the requestors, apparently Moghaddassi and possibly others, violated statutory duties under FISMA [Federal Information Security Modernization Act]," the letter said.
Moghaddassi previously worked for Elon Musk-led companies Neuralink and X, and worked for DOGE at the Department of Labor, the letter said. He became the CIO of the SSA in June.
The Government Accountability Project letter also argues that the SSA may have violated the Computer Fraud and Abuse Act "by facilitating unauthorized access to protected computer systems. Further, Moghaddassi's self-authorization of risk acceptance potentially violated 44 U.S.C. § 3554(b), FISMA's requirements for continuous monitoring and risk management, by formally accepting risks that exceeded federal guidelines for protecting sensitive government information."
Borges, a Navy veteran, has worked for several federal agencies and became the CDO of the SSA in January of this year. As CDO, "Borges is responsible for the safety, integrity, and security of the public's data at SSA," and his "position requires full visibility into data access, data exchange, and cloud-based environments used for SSA production systems," the letter said.
Congress urged to investigate
Borges "made internal disclosures to his superiors" about his concerns on August 6. "In that discussion, Mr. Borges commented that re-issuance of Social Security Numbers to all who possess one was a potential worst case outcome, and one of his superiors noted that possibility, underscoring the risk to the public," the letter said.
Borges outlined his concerns to numerous other officials in the ensuing days, the letter said. Borges has not received information that he requested about the cloud environment's security, leaving him "with the reasonable belief that the NUMIDENT data is at risk of exposure, and without information necessary to effectuate his responsibilities as CDO," the letter said.
"Furthermore, Mr. Borges is aware that the Office of General Counsel has advised employees not to respond to his inquiries. Such restriction on information to the CDO puts Mr. Borges in an untenable position inhibiting his ability to effectuate the responsibilities of his role," the letter said. The letter said Borges is ready to meet with lawmakers and oversight entities and urged Congress and the Office of Special Counsel to "investigate Mr. Borges' disclosures and ensure that the security of data of millions of Americans is immediately safeguarded."
Access to Social Security data is one of the various DOGE-related issues that have been litigated in federal courts. In early June, the Supreme Court ruled that "SSA may proceed to afford members of the SSA DOGE Team access to the agency records in question in order for those members to do their work." A dissent written by Justice Ketanji Brown Jackson said the majority decision gave "DOGE unfettered access to this personal, non-anonymized information right now—before the courts have time to assess whether DOGE's access is lawful."
KPop Demon Hunters Is the Most Popular Netflix Movie Ever