DOGE uploaded live copy of Social Security database to ‘vulnerable’ cloud server, says whistleblower

A top Social Security Administration official turned whistleblower says members of the Trump administration’s Department of Government Efficiency (DOGE) uploaded hundreds of millions of Social Security records to a vulnerable cloud server, putting the personal information of most Americans at risk of compromise.

Charles Borges, the Social Security Administration’s chief data officer, said in a newly released whistleblower complaint published Tuesday that other top agency officials signed off on a decision in June to upload “a live copy of the country’s Social Security information in a cloud environment that circumvents oversight,” despite Borges raising concerns.

The database, known as the Numerical Identification System, contains more than 450 million records containing all of the data submitted as part of a Social Security application, including the applicant’s name, place of birth, citizenship, and the Social Security numbers of their family members, as well as other sensitive personal and financial information.

Borges said members of DOGE, the team of former Elon Musk employees appointed to government under the guise of reducing fraud and waste, copied the sensitive database to an agency-run Amazon-hosted cloud server “apparently lacking in independent security controls,” such as who was accessing the data and how they were using it.

Full article:

Note that this isn’t some random home server but an AWS instance. The same insecure setup on an Azure server led to a 2023 data breach involving the DoD and sensitive military emails.

However, the main issue is actually WHO runs the cloud server in question. The agency still operates and runs it, but the administrators entirely consist of DOGE. It’s not like our social security numbers are out there ready to be pwned though. Seems like the whistleblower is concerned over the fact DOGE administrates it rather than the Social Security Agency.

This is one example of where CS students should had been taught more IT-related topics in college. Just because a teenager can solve hard leetcode questions and make an impressive ML app does not mean he is suddenly a cybersecurity expert. But I’m not THAT concerned about it if these servers are still maintained by dedicated employees. Only a little.

I mean, it is highly consequential, no..? An executive order by the current President of the United States facilitated DOGE’s birth, which was responsible for many violations of privacy.

Seems like the whistleblower is concerned over the fact DOGE administrates it rather than the Social Security Agency.

That’s a valid and reasonable concern, but I think it’s more serious than that:

Borges said members of DOGE […] copied the sensitive database to an agency-run Amazon-hosted cloud server “apparently lacking in independent security controls,” such as who was accessing the data and how they were using it.

The lack of security protections violated internal agency security controls and federal privacy laws, the complaint alleges.

Feigning incompetence is this administration’s go-to move when it comes to siphoning resources from the government to themselves. When it leaks it’ll just be an unfortunate accident that happens to get the data exactly into the hands of whoever they want.