DOGE accused of copying entire Social Security database to insecure cloud system Ars Technica
p
Live copy of NUMIDENT lacks any security oversight whistleblower alleges
ppA Social Security Administration SSA official alleged in a whistleblower disclosure that DOGE officials created a live copy of the countrys Social Security information in a cloud environment that circumvents oversightppChuck Borges the SSAs Chief Data Officer CDO has become aware through reports to him of serious data security lapses evidently orchestrated by DOGE officials currently employed as SSA employees that risk the security of over 300 million Americans Social Security data the Government Accountability Project said in a letter sent today to members of Congress and the US Office of Special Counsel The nonprofit Government Accountability Project is representing BorgesppAlthough it has been widely reported that DOGE sought and obtained access to Social Security records in its attempt to find evidence of fraud the letter to lawmakers said the live copy of SSAs database hasnt previously been disclosed DOGEs actions were taken under the authority of SSA Chief Information Officer CIO Aram Moghaddassi and violate SSA protocols and policies the letter saidppThere could be severe consequences if the database copy is breached the letter saidppThis vulnerable cloud environment is effectively a live copy of the entire countrys Social Security information from the Numerical Identification System NUMIDENT database that apparently lacks any security oversight from SSA or tracking to determine who is accessing or has accessed the copy of this data NUMIDENT contains all data submitted in an application for a United States Social Security cardincluding the name of the applicant place and date of birth citizenship race and ethnicity parents names and social security numbers phone number address and other personal information Should bad actors gain access to this cloud environment Americans may be susceptible to widespread identity theft may lose vital healthcare and food benefits and the government may be responsible for reissuing every American a new Social Security Number at great costppIn a statement provided to Ars today the SSA denied storing data in an insecure environment and said it is not aware of any compromiseppCommissioner Frank Bisignano and the Social Security Administration take all whistleblower complaints seriously the agency said SSA stores all personal data in secure environments that have robust safeguards in place to protect vital information The data referenced in the complaint is stored in a longstanding environment used by SSA and walled off from the Internet Highlevel career SSA officials have administrative access to this system with oversight by SSAs Information Security team We are not aware of any compromise to this environment and remain dedicated to protecting sensitive personal datappThe Government Accountability Project letter quoted a July 15 email in which Moghaddassi allegedly authorized the NUMIDENT cloud project I have determined the business need is higher than the security risk associated with this implementation and I accept all risks associated with this implementation and operation Moghaddassi was quoted as sayingppBorges alleges that the authorization was an abuse of authority and gross mismanagement and that the creation of the cloud environment potentially violated multiple federal laws By knowingly placing a HighValue Asset containing data on over 450 million people in an uncontrolled environment the requestors apparently Moghaddassi and possibly others violated statutory duties under FISMA Federal Information Security Modernization Act the letter saidppMoghaddassi previously worked for Elon Muskled companies Neuralink and X and worked for DOGE at the Department of Labor the letter said He became the CIO of the SSA in JuneppThe Government Accountability Project letter also argues that the SSA may have violated the Computer Fraud and Abuse Act by facilitating unauthorized access to protected computer systems Further Moghaddassis selfauthorization of risk acceptance potentially violated 44 USC 3554b FISMAs requirements for continuous monitoring and risk management by formally accepting risks that exceeded federal guidelines for protecting sensitive government informationppBorges a Navy veteran has worked for several federal agencies and became the CDO of the SSA in January of this year As CDO Borges is responsible for the safety integrity and security of the publics data at SSA and his position requires full visibility into data access data exchange and cloudbased environments used for SSA production systems the letter saidppBorges made internal disclosures to his superiors about his concerns on August 6 In that discussion Mr Borges commented that reissuance of Social Security Numbers to all who possess one was a potential worst case outcome and one of his superiors noted that possibility underscoring the risk to the public the letter saidppBorges outlined his concerns to numerous other officials in the ensuing days the letter said Borges has not received information that he requested about the cloud environments security leaving him with the reasonable belief that the NUMIDENT data is at risk of exposure and without information necessary to effectuate his responsibilities as CDO the letter saidppFurthermore Mr Borges is aware that the Office of General Counsel has advised employees not to respond to his inquiries Such restriction on information to the CDO puts Mr Borges in an untenable position inhibiting his ability to effectuate the responsibilities of his role the letter said The letter said Borges is ready to meet with lawmakers and oversight entities and urged Congress and the Office of Special Counsel to investigate Mr Borges disclosures and ensure that the security of data of millions of Americans is immediately safeguardedppAccess to Social Security data is one of the various DOGErelated issues that have been litigated in federal courts In early June the Supreme Court ruled that SSA may proceed to afford members of the SSA DOGE Team access to the agency records in question in order for those members to do their work A dissent written by Justice Ketanji Brown Jackson said the majority decision gave DOGE unfettered access to this personal nonanonymized information right nowbefore the courts have time to assess whether DOGEs access is lawfulppArs Technica has been separating the signal from
the noise for over 25 years With our unique combination of
technical savvy and wideranging interest in the technological arts
and sciences Ars is the trusted source in a sea of information After
all you dont need to know everything only whats importantpp
p
Live copy of NUMIDENT lacks any security oversight whistleblower alleges
ppA Social Security Administration SSA official alleged in a whistleblower disclosure that DOGE officials created a live copy of the countrys Social Security information in a cloud environment that circumvents oversightppChuck Borges the SSAs Chief Data Officer CDO has become aware through reports to him of serious data security lapses evidently orchestrated by DOGE officials currently employed as SSA employees that risk the security of over 300 million Americans Social Security data the Government Accountability Project said in a letter sent today to members of Congress and the US Office of Special Counsel The nonprofit Government Accountability Project is representing BorgesppAlthough it has been widely reported that DOGE sought and obtained access to Social Security records in its attempt to find evidence of fraud the letter to lawmakers said the live copy of SSAs database hasnt previously been disclosed DOGEs actions were taken under the authority of SSA Chief Information Officer CIO Aram Moghaddassi and violate SSA protocols and policies the letter saidppThere could be severe consequences if the database copy is breached the letter saidppThis vulnerable cloud environment is effectively a live copy of the entire countrys Social Security information from the Numerical Identification System NUMIDENT database that apparently lacks any security oversight from SSA or tracking to determine who is accessing or has accessed the copy of this data NUMIDENT contains all data submitted in an application for a United States Social Security cardincluding the name of the applicant place and date of birth citizenship race and ethnicity parents names and social security numbers phone number address and other personal information Should bad actors gain access to this cloud environment Americans may be susceptible to widespread identity theft may lose vital healthcare and food benefits and the government may be responsible for reissuing every American a new Social Security Number at great costppIn a statement provided to Ars today the SSA denied storing data in an insecure environment and said it is not aware of any compromiseppCommissioner Frank Bisignano and the Social Security Administration take all whistleblower complaints seriously the agency said SSA stores all personal data in secure environments that have robust safeguards in place to protect vital information The data referenced in the complaint is stored in a longstanding environment used by SSA and walled off from the Internet Highlevel career SSA officials have administrative access to this system with oversight by SSAs Information Security team We are not aware of any compromise to this environment and remain dedicated to protecting sensitive personal datappThe Government Accountability Project letter quoted a July 15 email in which Moghaddassi allegedly authorized the NUMIDENT cloud project I have determined the business need is higher than the security risk associated with this implementation and I accept all risks associated with this implementation and operation Moghaddassi was quoted as sayingppBorges alleges that the authorization was an abuse of authority and gross mismanagement and that the creation of the cloud environment potentially violated multiple federal laws By knowingly placing a HighValue Asset containing data on over 450 million people in an uncontrolled environment the requestors apparently Moghaddassi and possibly others violated statutory duties under FISMA Federal Information Security Modernization Act the letter saidppMoghaddassi previously worked for Elon Muskled companies Neuralink and X and worked for DOGE at the Department of Labor the letter said He became the CIO of the SSA in JuneppThe Government Accountability Project letter also argues that the SSA may have violated the Computer Fraud and Abuse Act by facilitating unauthorized access to protected computer systems Further Moghaddassis selfauthorization of risk acceptance potentially violated 44 USC 3554b FISMAs requirements for continuous monitoring and risk management by formally accepting risks that exceeded federal guidelines for protecting sensitive government informationppBorges a Navy veteran has worked for several federal agencies and became the CDO of the SSA in January of this year As CDO Borges is responsible for the safety integrity and security of the publics data at SSA and his position requires full visibility into data access data exchange and cloudbased environments used for SSA production systems the letter saidppBorges made internal disclosures to his superiors about his concerns on August 6 In that discussion Mr Borges commented that reissuance of Social Security Numbers to all who possess one was a potential worst case outcome and one of his superiors noted that possibility underscoring the risk to the public the letter saidppBorges outlined his concerns to numerous other officials in the ensuing days the letter said Borges has not received information that he requested about the cloud environments security leaving him with the reasonable belief that the NUMIDENT data is at risk of exposure and without information necessary to effectuate his responsibilities as CDO the letter saidppFurthermore Mr Borges is aware that the Office of General Counsel has advised employees not to respond to his inquiries Such restriction on information to the CDO puts Mr Borges in an untenable position inhibiting his ability to effectuate the responsibilities of his role the letter said The letter said Borges is ready to meet with lawmakers and oversight entities and urged Congress and the Office of Special Counsel to investigate Mr Borges disclosures and ensure that the security of data of millions of Americans is immediately safeguardedppAccess to Social Security data is one of the various DOGErelated issues that have been litigated in federal courts In early June the Supreme Court ruled that SSA may proceed to afford members of the SSA DOGE Team access to the agency records in question in order for those members to do their work A dissent written by Justice Ketanji Brown Jackson said the majority decision gave DOGE unfettered access to this personal nonanonymized information right nowbefore the courts have time to assess whether DOGEs access is lawfulppArs Technica has been separating the signal from
the noise for over 25 years With our unique combination of
technical savvy and wideranging interest in the technological arts
and sciences Ars is the trusted source in a sea of information After
all you dont need to know everything only whats importantpp
p
