Whistleblower Alleges DOGE Transmitted Live Social Security Database to Insecure Cloud Server

A high-ranking official from the Social Security Administration has stepped forward as a whistleblower, claiming that members of the Trump administration’s Department of Government Efficiency (DOGE) have uploaded tens of millions of Social Security records to a vulnerable cloud server, endangering the personal information of millions of Americans.

Charles Borges, the chief data officer of the Social Security Administration, revealed in a whistleblower complaint released on Tuesday that other senior officials at the agency approved a decision in June to upload “a live copy of the nation’s Social Security information into a cloud environment that bypasses oversight,” despite his expressed concerns.

The database known as the Numerical Identification System includes over 450 million records comprising all the information submitted in Social Security applications, such as applicants’ names, places of birth, citizenship statuses, and the Social Security numbers of family members, along with other sensitive personal and financial information.

Borges pointed out that members of DOGE, a group of former employees from Elon Musk’s firms appointed to reduce fraud and waste in government, duplicated the sensitive database onto an Amazon-hosted cloud server managed by the agency, which “lacked independent security controls” such as monitoring who accessed the data and its usage.

The complaint claims that the lack of security measures violated internal agency protocols and federal privacy laws.

Borges warned that by enabling DOGE to administer the agency’s cloud, they might create “publicly accessible services,” potentially allowing public access to the cloud system and any sensitive data it contains.

In his complaint, Borges emphasized that if this information were compromised, “it is conceivable that sensitive personally identifiable information concerning every American—including health diagnoses, income levels, banking details, family relationships, and personal biographies—could be made public and widely shared.”

The complaint indicated that any breach or unauthorized access to the database could have a “catastrophic impact” on the U.S. Social Security program, with a worst-case scenario necessitating the reissuance of Social Security numbers for all citizens.

While a federal restraining order initially prohibited DOGE staff from accessing the Social Security records database in March, the Supreme Court lifted this order on June 6, restoring DOGE’s access.

Following the ruling, DOGE reportedly sought internal approvals from senior officials at the agency, according to Borges’ complaint.

The agency’s chief information officer, Aram Moghaddassi, approved the transfer of the database to the cloud, stating that he “determined the business need outweighs the security risk” and that he accepts “all risks” associated with the project. The complaint also notes that Michael Russo, a senior DOGE official and former chief information officer of the agency, consented to the relocation of live Social Security data to the cloud.

Borges mentioned that he initially raised these issues internally but opted to go public to encourage Congress to “engage in immediate oversight regarding these serious concerns,” as stated by his attorney, Andrea Meza, from the Government Accountability Project.

This allegation is the latest in a series of claims concerning weak cybersecurity practices by the administration and its representatives, including DOGE, since President Trump took office in January. Since then, members of DOGE have exerted significant control over numerous U.S. federal departments and their datasets containing citizen information.

When contacted by TechCrunch, Elizabeth Huston, a spokesperson for the White House, declined to comment on whether the administration was aware of the complaint and directed inquiries to the Social Security Administration.

In an email response, Social Security Administration spokesperson Nick Perrine stated that the agency “stores personal data in secure environments that have robust safeguards in place to protect vital information.”

“The data referenced in the complaint is stored in a well-established environment utilized by SSA and is isolated from the internet. Senior career SSA officials have administrative access to this system, overseen by SSA’s Information Security team,” the spokesperson elaborated.

The spokesperson also noted that the agency “is not aware of any compromise to this environment.”

While data breaches involving federal government data stored in the cloud are uncommon, they can happen. For instance, in 2023, TechCrunch reported that the U.S. Department of Defense accidentally exposed thousands of sensitive military emails online due to a security oversight. Despite the email data being housed in Amazon’s dedicated government cloud, a misconfiguration resulted in the contents of a military unit’s emails being publicly accessible online.