DOGE whistleblower: entire Social Security database uploaded to open cloud, security experts speak out

Published: 27 August 2025
Last updated: 27 August 2025
doge-defaced
Image by Cybernews.

A DOGE whistleblower reveals that staffers at the Trump-created agency uploaded an entire Social Security database to an insecure cloud server – compromising the records of hundreds of millions of Americans. Here’s what cybersecurity experts had to say to Cybernews.

Key takeaways:
  • A whistleblower says DOGE officials uploaded a live copy of the US Social Security database to the cloud, risking the records of hundreds of millions.
  • The compromise could potentially lead to mass identity theft and even force reissuing new Social Security numbers to every American.
  • Cybersecurity experts say the disclosure raises alarms over national security and DOGE’s repeated failures to properly handle sensitive government data.

The damning report, published by the New York Times on Tuesday, says a live “copy of a crucial Social Security database” was uploaded to the vulnerable cloud server in June.

ADVERTISEMENT

Apparently, it wasn't just low-level workers at the Department of Government Efficiency responsible for mishandling the database, but DOGE leaders who chose to go ahead with the project despite being warned about the risks.

Exposing the security incident is none other than the Social Security Administration’s(SSA) Chief Data Officer (CDO) Charles Borges.

According to the Times piece, Borges' complaint states that “DOGE members copied the data to an internal agency server that only DOGE could access, forgoing the type of ‘independent security monitoring’ normally required under agency policy for such sensitive data and creating ‘enormous vulnerabilities.’”

“Should bad actors gain access to this cloud environment, Americans may be susceptible to widespread identity theft, may lose vital health care and food benefits, and the government may be responsible for reissuing every American a new Social Security number at great cost,” the disclosure said, which was filed Tuesday with the Office of Special Counsel and congressional committees.

Social Security office
Image by Veroniksha | Shutterstock

“It goes without saying that this is an enormously dangerous oversight, and one that could impact Americans for generations,” said Pete Luban, Field CISO at AttackIQ.

Luban believes it is imperative, especially now the information is public, that “DOGE and the SSA implement security measures to proactively defend against potential threats and stop attackers’ movements if the system is breached.”

“There’s a strong likelihood that some of the most prolific threat actor groups of today begin to target the database, and the government must be prepared to protect Americans’ data, ” Luban said.

ADVERTISEMENT

"Cloud is not secure"

The SSA responded to the whistleblower complaints, stating that the “SSA stores all personal data in secure environments,” and includes “robust safeguards" as well as a longstanding environment used by the SSA that is “walled off from the internet.”

The spokesperson also noted that there is no indication that any SSA records have been compromised.

Still, Gabrielle Hempel, Security Operations Strategist at Exabeam, reminds Cybernews readers that the cloud is not secure by default.

“The Shared Responsibility Model for AWS (and equivalent for other cloud providers) has been around for quite a while at this point,” he explains.

AWS cloud terminals
Image by Cybernews

“Organizations continue to treat AWS or GCP as inherently secure, when in reality, a cloud platform is secure only if it is engineered that way. Without cloud architecting, monitoring, access control, and audit, it’s potentially more at risk than a legacy on-premises environment,” Hempel said.

The SecOps strategist also noted that allowing DOGE to both administer and oversee the environment is a "textbook failure in segregation of duties."

“If that control gap leads to exposure of the Numerical Identification System, this is potentially a national identity compromise with generational impact," Hempel said.

Vulnerable to bulk exfiltration

ADVERTISEMENT

Known as Numident – an abbreviation for "Numerical Identification System" – the SSA’s computer database file contains an abstract (summary) of the information found on a social security card holder’s original application form, Form SS-5.

The Numident database connects the abstracts to every social security number in existence since the system was established in 1936, and contains information such as the person’s name, date of birth, place of birth, sex, race, mother's maiden name, and father's first and last name.

The SSA has issued more than 548 million numbers, according to the agency’s website, the Times cited.

SSA Archival database
US government archives showing Social Security Form SS-5. (aad.archives.gov)

Mayank Kumar, Founding AI Engineer at Deep Tempo says that NUMIDENT is now “a high-value single point of compromise.”

The AI deep learning expert says the SSA database is not only "vulnerable to bulk exfiltration, but also susceptible to stealth campaigns that can degrade confidence in the integrity of the dataset, which could be more damaging than outright theft."

Curious what others think about this story? Contribute your thoughts to the debate below.

Kumar points out that a “live copy” of the database additionally means "transactional data is continuously updated, increasing the attack surface compared to a static archival dataset.”

“Borges' warning of the need to reissue Social Security numbers to all Americans is highly realistic," Kumar states.

ADVERTISEMENT
Social Security card example
Generic Social Security card. Image by Pauras | Shutterstock

“Unlike cryptographic material, SSNs can’t be revoked and reissued without massive downstream disruption,” Kumar explains, adding that the process would likely span years, during which adversaries would continue exploiting the original dataset.

“The whistleblower is not exaggerating the severity; the systemic dependencies on SSNs make a reissue scenario catastrophic yet plausible," Kumar said.

Not the first DOGE whistleblower to come forward

While this latest incident will likely go down in history as the ultimate DOGE security faux pas, back in April, NPR was the first news outlet to report on DOGE whistleblower claims.

That whistleblower, a civil servant at the National Labor Relations Board (NLRB), told of a similar incident leading to a massive data breach at the agency – also potentially compromising the data of hundreds of millions of Americans.

The federal IT employee, Dan Berulis, said he witnessed DOGE workers harvesting “nearly the entirety” of the labor board’s “critical information systems.”

Gintaras Radauskas vilius Ernestas Naprys jurgita
Get our latest stories today on Google News
Google News Follow us

Minutes later, Russian threat actors were found successfully logging into the NLRB system using the DOGE workers' newly created credentials.

The agency’s systems included confidential data such as "lists of union activists, ongoing labor cases, sensitive corporate information, and personally identifiable information,” according to the Washington, DC-based advocate group Whistleblower Aids.

ADVERTISEMENT

Borges is represented by the Government Accountability Project, an international whistleblower protection and advocacy organization, also based in the US capital.

Share
Post
Share
Share
Share
More from Cybernews
World’s leading mathematicians ridicule AI hype in high-IQ declaration
Democrats are far more worried than Republicans that AI will take jobs, new poll finds
Companies using Fable 5 beware: it’s collecting your data, and there are no exceptions
Europe’s tech revolution feels like Soviet déjà vu
New York demands advertisers use “synthetic performer” label or else
The surprising way Elon Musk is powering your next holiday flight
ADVERTISEMENT
Leave a Reply

Your email address will not be published. Required fields are markedmarked