A whistleblower report filed today accuses the Department of Government Efficiency (DOGE) within the Social Security Administration (SSA) of secretly replicating the nation’s entire Social Security dataset in an unsecured cloud environment.
According to the disclosure, this action placed over 300 million Americans at risk of identity theft, financial fraud, and potential loss of Social Security benefits. Chief Data Officer Charles Borges warned that if cybercriminals accessed the live database, the U.S. government might face the unprecedented challenge of reissuing Social Security Numbers nationwide.
Key Takeaways
- DOGE allegedly copied 300M SSNs into an unprotected AWS cloud.
- An ETL pipeline continued syncing live data despite a court restraining order.
- Experts stress the need for zero-trust security measures to prevent future breaches.
Allegations of Unsecured Cloud Storage
The protected disclosure, submitted to the U.S. Office of Special Counsel, claims DOGE officials bypassed standard Information Security and Compliance (ISC) safeguards. These include:
- No encryption-at-rest for SSN data
- Lack of role-based access controls (RBAC)
- No continuous audit logging
Instead, a cloud instance holding live Social Security Numbers (SSNs) was launched without undergoing independent penetration tests or vulnerability assessments. The AWS S3 bucket reportedly lacked strict Identity and Access Management (IAM) policies, exposing it to credential stuffing and API key theft.
Further issues included:
- No multi-factor authentication (MFA) on API endpoints
- No use of secure Key Management Service (KMS)
Ignoring Court Orders
Court filings reveal that a March 2025 lawsuit led to a temporary restraining order, barring DOGE from accessing live SSN systems until June 6, 2025.
However, internal logs reviewed by Borges suggest DOGE engineers continued syncing data using Python-based ETL scripts and SSA’s RESTful APIs. This effectively created a real-time clone of the production database outside SSA’s Security Operations Center (SOC).
Violations and Risks
Borges labeled the move as mismanagement and abuse of authority, since DOGE bypassed the Change Management Board (CMB) and ignored federal cloud security standards (NIST SP 800-144).
“This operation not only violates the Privacy Act but also exposes the American public to a massive attack surface,” Borges wrote in his internal memo.
SSA executives privately admitted the risk, warning that mass reissuance of SSNs may be the only solution if the data is leaked.
Calls for Oversight and Mitigation
Andrea Meza, legal counsel for the whistleblower, urged Congress and the Office of Special Counsel to take swift oversight action.
She highlighted urgent security needs, including:
- Adopting a zero-trust architecture
- Enforcing access key rotation
- Deploying intrusion detection systems (IDS) in real time
Without immediate intervention, experts warn that the personal identifiers of every American remain at risk.
