A serious security breach is alleged to have occurred at the Social Security Administration (SSA), following a whistleblower disclosure filed with the U.S. Office of Special Counsel. The filing claims that a division known as the Department of Government Efficiency (DOGE) covertly created a live copy of the nation’s entire Social Security dataset and stored it in an unsecure cloud environment. According to Chief Data Officer Charles Borges, who submitted the protected disclosure, this action bypassed standard Information Security and Compliance (ISC) protocols, including essential security measures like encryption-at-rest and continuous audit logging. The potential exposure of over 300 million Americans to identity theft and the loss of critical benefits has raised alarm bells, with Borges warning that a mass re-issuance of every Social Security number might be necessary if the data is compromised.
The whistleblower’s allegations detail a profound disregard for established security practices. The cloud instance, an Amazon Web Services (AWS) S3 bucket, was reportedly provisioned without enforcing strict Identity and Access Management (IAM) policies or conducting independent vulnerability assessments and penetration tests. Critical security features were allegedly absent, including multi-factor authentication (MFA) on API endpoints and a secure key management service (KMS). This negligence leaves the repository vulnerable to common cyberattacks such as credential stuffing or API key leakage, which could grant malicious actors unfettered access to sensitive Personally Identifiable Information (PII). Borges’s memo explicitly states that this operation not only violates the Privacy Act but also significantly expands the public’s cyber-attack surface.
The timeline of events outlined in the disclosure is particularly troubling. Court records show that a temporary restraining order, effective until June 6, 2025, was issued in March 2025 to prevent DOGE from accessing production SSN systems. However, Borges’s review of internal logs indicates that DOGE engineers continued to synchronize data during this period. The synchronization was allegedly performed via an automated ETL pipeline using Python scripts and the SSA’s internal RESTful APIs, effectively creating a clone of the live database outside the watchful eyes of the SSA’s Security Operations Center (SOC). This action, performed despite a direct court order, suggests a deliberate effort to circumvent official channels and security oversight.
The whistleblower’s disclosure paints a picture of serious mismanagement and abuse of authority.
By bypassing the SSA’s Change Management Board (CMB), DOGE officials allegedly violated federal Cloud Security advice as outlined in NIST SP 800-144. Borges’s internal memo, referenced in the disclosure, highlights the extreme risk of this operation. An SSA executive reportedly acknowledged the gravity of the situation, conceding that a mass re-issuance of SSNs might be the only recourse should the data be compromised. Such an undertaking would be a monumental task, causing widespread disruption and financial hardship for millions of Americans.
In light of these explosive claims, Andrea Meza, legal counsel for the whistleblower, has urgently called for congressional and Office of Special Counsel oversight. She emphasized the immediate need for mitigation measures to protect Americans’ most sensitive identifiers. Meza’s recommendations include the implementation of a zero-trust architecture, the rotation of access keys, and the deployment of real-time intrusion detection systems (IDS). This disclosure serves as a stark reminder of the critical importance of adhering to stringent cybersecurity protocols and the immense responsibility agencies hold in safeguarding public data. The outcome of the investigation into these allegations will be closely watched, as it will determine the fate of one of the nation’s most vital datasets.
Reference:
