{"id":4561,"date":"2025-08-27T17:47:26","date_gmt":"2025-08-27T17:47:26","guid":{"rendered":"https:\/\/cybersecurityinfocus.com\/?p=4561"},"modified":"2025-08-27T17:47:26","modified_gmt":"2025-08-27T17:47:26","slug":"whistleblower-doge-put-social-security-database-covering-300-million-americans-on-insecure-cloud","status":"publish","type":"post","link":"https:\/\/cybersecurityinfocus.com\/?p=4561","title":{"rendered":"Whistleblower: DOGE put Social Security database covering 300 million Americans on insecure cloud"},"content":{"rendered":"
\n
\n
\n
\n
<\/div>\n

The Elon Musk\u2013founded Department of Government Efficiency (DOGE) uploaded to an insecure Amazon Web Services server a copy of Americans\u2019 Social Security data, risking the security of critical personal information for more than 300 million people, according to a\u00a0protected whistleblower disclosure<\/a>\u00a0to the US Office of Special Counsel and congressional committees\u00a0filed by the Government Accountability Project.<\/p>\n

Whistleblower Charles Borges, who has served as the chief data officer at the Social Security Administration (SSA) since January, disclosed that DOGE created a live copy of the country\u2019s Social Security information in a test cloud environment that circumvents oversight and potentially violates security protocols and federal privacy regulations.<\/p>\n

Borges says the risky maneuver capped a turbulent period at SSA during which the DOGE workers progressed from emergency circumvention of court orders in March 2025 to full-blown systematic institutional approval of high-risk activities involving sensitive public data by July 2025.<\/p>\n

\u201cA way to view this is as an attack by an insider threat,\u201d John Skiles Skinner<\/a>, a former consulting engineer and project leader at 18F, a prestigious and influential US government digital services agency that DOGE eliminated in March 2025, tells CSO. \u201cThere is a group of people, apparently handpicked by Elon Musk, who want to manipulate government data in some way, and they put themselves in positions of power and signed blank checks to themselves to move that data around however they want.\u201d<\/p>\n

What has yet to be determined, however, is whether the DOGE workers violated several US laws by abandoning security protocols and why they engaged in what Borges says are highly risky and unsafe data management practices.<\/p>\n

What did the DOGE workers do?<\/h2>\n

Borges\u2019s complaint identifies four DOGE personnel as the culprits behind this move, including Edward Coristine, nicknamed \u201cBig Balls,\u201d a 19-year-old DOGE programmer who became a full-time government employee in May, landing at the SSA in June; Aram Moghaddassi, who worked for DOGE at the Department of Labor and became CIO of SSA in June; John Solly, described<\/a> as a DOGE-aligned hire, reportedly joined the SSA in March 2025 in the office of the CIO; and Michael Russo, who served as CIO of the SSA from February 2025 until late March 2025, when he was replaced by Scott Coulter and transitioned to a special advisor role in the SSA focused on \u201cmodernizing its archaic technology.\u201d<\/p>\n

Coristine and Moghaddassi interned<\/a> or worked<\/a> for Musk before joining the government, while Russo was an executive at a tech company<\/a> that does payment processing for Musk\u2019s Starlink.<\/p>\n

According to the complaint, under the authority of Moghaddassi, the DOGE workers created a copy of the country\u2019s Social Security information by uploading a live production copy of the Numerical Identification System (NUMIDENT) database to an Amazon test cloud environment outside mandated security protocols, making it impossible for the federal government to track who has accessed or who is accessing the data.<\/p>\n

The NUMIDENT database contains all data submitted in an application for a United States Social Security card, including the name of the applicant, place and date of birth, citizenship, race and ethnicity, parents\u2019 names and Social Security numbers, phone number, address, and other personal information.<\/p>\n

Borges says in the complaint that on June 12, 2025, a career official in the Office of the Chief Information Officer (OCIO) shared a formal \u201cRisk Acceptance Request Form\u201d with Moghaddassi and an SSA career executive apparently responding to a June 10-11 request to have administrative access to \u201ctheir own Virtual Private Cloud (VPC, \u2018cloud\u2019) within the SSA Amazon Web Services \u2014 Agency Cloud Infrastructure (AWS-ACI).\u201d The risk assessment characterized the DOGE move as \u201chigh risk.\u201d<\/p>\n

Nonetheless, DOGE workers were granted administrative access to the cloud, after which Borges contends that the Office of Information Security (OIS) said it was impermissible to move NUMIDENT production data to the test environment. But on June 25, CIO officials obtained from Michael Russo authorization for John Solly to upload NUMIDENT production data to DOGE\u2019s test cloud environment, which lacked independent security controls and bypassed security protocols.<\/p>\n

On July 25, Moghaddassi authorized a \u201cProvisional Authorization to Operate\u201d apparently for the NUMIDENT cloud project, stating, \u201cI have determined the business need is higher than the security risk associated with this implementation and I accept all risks associated with this implementation and operation.\u201d<\/p>\n

After that, Borges said he repeatedly raised internally his concerns over the security of the data, futilely contacting Coristine, Solly, and Mickie Tyquiengco, executive officer in the OICO Front Office, to request information about his security concerns. Based on the non-responsiveness of the principals involved, Borges argues that \u201cthe creation of the DOGE-specific, self-administered cloud environment lacking independent security controls and hosting a copy of NUMIDENT constitutes an abuse of authority, gross mismanagement, substantial and specific threat to public health and safety, and potentially violation of law, rule, or regulation.\u201d<\/p>\n

Did the DOGE workers violate the law?<\/h2>\n

Under the Federal Information Security Management Act (FISMA<\/a>), all information systems operated by or on behalf of the US federal government must obtain<\/a> an authorization to operate (ATO). The purpose of an ATO is to minimize the security risks to which those systems might be exposed.<\/p>\n

Complying with the ATO under FISMA requires the completion of five steps<\/a>: analyzing the impact a disaster or attack on the data would have on the public and agency; developing a system security and privacy plan; inviting experts to assess and verify the plan; signing off on the plan by the authorizing official, information security officer, and system owner; and developing a plan for ongoing monitoring.<\/p>\n

To get a government official, such as a CIO or CISO, to sign off on an ATO under FISMA, government systems must meet a list of security controls<\/a> contained in a publication by the National Institute of Standards and Technology, NIST SP 800-53. FISMA mandates that federal agencies implement NIST\u2019s guidelines, making compliance with NIST SP 800-53 mandatory for obtaining an ATO.<\/p>\n

According to Skinner, an ATO is an essential security mechanism for government computer systems. \u201cMoving data out of this system\u2019s ATO means that DOGE moved Americans\u2019 personal data outside of government security controls, beyond the ability of government security experts to track if the data is being leaked,\u201d he tells CSO. \u201cSomeone could steal this data, and we might never know it.\u201d<\/p>\n

Skinner adds: \u201cWhen SSA employees resisted DOGE\u2019s attempt to move data outside the ATO, DOGE wrote itself a Provisional ATO, which is a real thing but not a blank check to circumvent the security rules, avoid oversight, and expose Americans\u2019 personal data. DOGE treated it as a blank check.\u201d<\/p>\n

The complaint alleges that the lack of proper documentation of controls likely violates FISMA by placing a high-value asset containing data on over 450 million Americans and eligible noncitizens, in an uncontrolled environment. It also alleges that the Provisional ATO violates the Privacy Act of 1974<\/a>, \u201cwhich requires agencies to maintain personal information with accuracy, relevance, timeliness, and completeness as necessary to assure fairness in determinations about individuals. Placing production NUMIDENT data in cloud environments without independent security controls violates these maintenance requirements.\u201d<\/p>\n

Finally, the complaint argues that what DOGE did violates the Computer Fraud and Abuse Act<\/a> by facilitating unauthorized access to protected computer systems.<\/p>\n

Why did DOGE do this?<\/h2>\n

Moghaddassi\u2019s stated rationale that the \u201cbusiness need is higher than the security risk\u201d and an earlier statement by Solly that the data move was necessary to improve the way that SSA exchanges data provide little insight into what exactly DOGE intends to do with the data.<\/p>\n

It\u2019s possible that the DOGE team decided to move the NUMIDENT database to better comply with a March executive order<\/a> issued by Trump, entitled \u201cStopping Waste, Fraud, and Abuse by Eliminating Information Silos,\u201d which directed agencies to rescind or modify all guidance that serves as a barrier to the inter- or intra-agency sharing of unclassified information and give the DOGE team and other federal officials access to all unclassified records, data, software systems, and information technology systems across all federal civilian agencies.<\/p>\n

Data analysis and technology firm Palantir is reportedly helping<\/a> the Trump administration compile a master list of personal information on Americans to achieve this anti-silo initiative, which is contingent on SSA and IRS data.<\/p>\n

It\u2019s also conceivable that the DOGE team was seeking to further the development of a master database at DHS to track and surveil undocumented immigrants<\/a>, which is mainly dependent on access to the SSA database. A host of other Trump-DOGE initiatives, including a plan<\/a> to push AI technologies throughout the federal government, might also be a motivating factor for DOGE to move SSA and other government systems data away from systems not governed by security protocols.<\/p>\n

Whatever the motivation, DOGE may have engaged in similar actions across the federal government where the loosely defined initiative has housed its workers, including the General Services Administration, the Veterans Administration, the Department of Health and Human Services, the Internal Revenue Service, and more.<\/p>\n

The revelation that DOGE has violated security protocols at the SSA \u201cis probably more of a tip of the iceberg situation,\u201d Skinner speculates. \u201cI am guessing that this is what they are doing everywhere. It seems like they\u2019re going around and cracking open the security at those agencies and taking the data and moving it away from someplace where security experts within the government can see what they\u2019re doing with it.\u201d<\/p>\n<\/div>\n<\/div>\n<\/div>\n<\/div>","protected":false},"excerpt":{"rendered":"

The Elon Musk\u2013founded Department of Government Efficiency (DOGE) uploaded to an insecure Amazon Web Services server a copy of Americans\u2019 Social Security data, risking the security of critical personal information for more than 300 million people, according to a\u00a0protected whistleblower disclosure\u00a0to the US Office of Special Counsel and congressional committees\u00a0filed by the Government Accountability Project. […]<\/p>\n","protected":false},"author":0,"featured_media":4562,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[3],"tags":[],"class_list":["post-4561","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-education"],"_links":{"self":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4561"}],"collection":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"replies":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4561"}],"version-history":[{"count":0,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/posts\/4561\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=\/wp\/v2\/media\/4562"}],"wp:attachment":[{"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4561"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4561"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cybersecurityinfocus.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4561"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}