A whistleblower disclosure filed immediately alleges that the Division of Authorities Effectivity (DOGE) inside the Social Safety Administration (SSA) covertly created a stay copy of the nation’s total Social Safety dataset in an unsecured cloud surroundings.
Chief Information Officer Charles Borges warned that, if malicious actors achieve entry, over 300 million Individuals may face id theft, lack of vital advantages, and the monumental activity of re-issuing each Social Safety quantity.
Key Takeaways1. DOGE copied 300M SSNs into an unsecured AWS cloud.2. An automatic ETL pipeline synced stay SSN knowledge regardless of a court docket order.3. The lapse dangers mass id theft and calls for zero-trust safety.
Allegations of Unsecured Cloud Storage
In response to the protected disclosure submitted to the U.S. Workplace of Particular Counsel, DOGE officers bypassed customary Data Safety and Compliance (ISC) controls, together with encryption-at-rest, role-based entry management (RBAC), and steady audit logging, when provisioning a cloud occasion containing stay Social Safety Quantity (SSN) data.
Borges notes that neither unbiased vulnerability assessments nor penetration checks have been performed earlier than spinning up the Amazon Net Providers (AWS) S3 bucket storing PII, nor have been strict Identification and Entry Administration (IAM) insurance policies enforced.
The cloud surroundings lacked multi-factor authentication (MFA) on API endpoints and didn’t make use of a safe key administration service (KMS), rendering the SSN repository susceptible to credential stuffing or API key leakage.
Courtroom data present {that a} lawsuit filed in March 2025 resulted in a short lived restraining order stopping DOGE from accessing manufacturing SSN methods till June 6, 2025.
Nevertheless, inside logs reviewed by Borges point out that DOGE engineers continued to synchronize knowledge through an automatic ETL pipeline—utilizing Python scripts and the SSA’s inside RESTful APIs, successfully cloning the stay database exterior SSA’s Safety Operations Middle (SOC).
Borges claims that DOGE’s actions represent severe mismanagement and abuse of authority by bypassing the SSA’s Change Administration Board (CMB) and violating federal Cloud Safety recommendation (NIST SP 800-144).
“This operation not solely breaches the Privateness Act but additionally exposes the general public to a major cyber-attack floor,” Borges wrote in his inside memo.
One SSA govt reportedly acknowledged the chance, stating that the company may have to re-issue SSNs en masse ought to the info be compromised.
Andrea Meza, counsel for the whistleblower, urged Congress and the Workplace of Particular Counsel to launch rapid oversight.
She emphasised that mitigation measures equivalent to imposing zero-trust structure, rotating entry keys, and deploying real-time intrusion detection methods (IDS) have to be carried out directly to guard Individuals’ most delicate identifiers.
