An employee of the Social Security Administration (SSA) filed allegations that Department of Government Efficiency (DOGE) employees uploaded the Social Security information of millions of Americans to an unsecured cloud server. The complaint was filed by Charles Borges, the SSA’s Chief Data Officer (CDO).
Borges submitted the protected whistleblower disclosure to the Office of Special Counsel. According to his attorneys, employees in the DOGE are alleged to have copied Social Security information into a vulnerable cloud environment without authorization from Borges. The data is said to contain information on over 300 million Americans, including names, family information, birthplace and birthday, race, citizenship, phone numbers, and other personal details.
The whistleblower complaint states that with access to SSA data, “it is possible that the sensitive PII [personally identifiable information] on every American, including health diagnoses, income levels, and banking information, family relationships, and personal biographic data, could be exposed publicly, and shared widely.”
Since its establishment in January 2025, DOGE repeatedly attempted to access Social Security information. These attempts led to a lawsuit in late February, after which DOGE was subject to a Temporary Restraining Order (TRO) and a Preliminary Injunction (PI) preventing it from accessing PII copied from SSA records and from accessing information without proper clearance and approval. A PI was eventually granted with the same terms as the TRO and was effective June 6th, when it was stayed by the Supreme Court.
Despite attempts at formal regulation, Borges alleges that DOGE was never in compliance with the TRO. DOGE officials allegedly restored access “within 24 hours of the court-ordered revocation” on March 20th. In fact, he claims, the restored access was expanded beyond what existed before the TRO. On March 24th, days later, the Office of Information Security (OIS) once more revoked DOGE employees’ access. The disclosure does not say whether or not DOGE complied.
After the Supreme Court stayed the PI in June, Borges alleges DOGE gave itself authorization—with neither oversight nor permission from SSA officials—to access and copy the entirety of SSA’s data on the American public.
According to Borges, DOGE was seeking to copy the SSA’s Numerical Identification System (NUMIDENT), which, according to the disclosure, contains “all information submitted in an application for a United States Social Security card.” The data includes personal information on every single US citizen. The OIS denied DOGE access to copy the NUMIDENT data into a vulnerable, live cloud environment, so DOGE officials decided to circumvent OIS approval entirely. Instead, they approached Michael Russo, a DOGE-affiliated SSA official, to request access. Russo replied, “Approved.”
Borges, the CDO, says he was neither consulted about the move nor given access to the new server. In the disclosure, he claims that there were “no verified audit or oversight mechanisms” for the new cloud environment, nor any form of “independent security controls, including independent tracking of who is accessing the data and how they are using it.”
According to Borges, internal policy required that such a high-risk transfer be approved by the Chief Information Officer, Aram Moghaddassi. Moghaddassi, a DOGE-affiliated recent hire, authorized the NUMIDENT copy, saying, “I have determined the business need is higher than the security risk…” Once again, Borges was not informed.
Borges’ complaint explains that the extreme risk of copying massive amounts of personal data cannot be understated. Bad actors could take advantage of these new vulnerabilities to commit cyber-crimes, engage in identity theft, and run highly targeted surveillance and misinformation campaigns.
Borges maintains that there was little reason to copy the NUMIDENT data into a server only accessible by DOGE employees—or so it seems. In April of this year, an anonymous whistleblower informed the Committee on Oversight and Government Reform Democratic staff that DOGE was allegedly seeking SSA data to disrupt Social Security payments, overhaul the SSA IT systems, and create a cross-agency “Master Database” of personal information. The “Master Database” would include data from the Internal Revenue Service (IRS), Department of Health and Human Services (HHS), and other agencies. Not only would sensitive SSA data be vulnerable, but tax and health records would be, too. Such a database would flagrantly disregard privacy and security protocols and potentially violate the law.
“Without whistleblowers like Borges, the American public might have continued unaware of these new vulnerabilities. The systems we trust to govern and protect us have begun to use our personal, private data as leverage. American citizens should be rightfully enraged at this misuse of data,” said the National Whistleblower Center, a leading whistleblower advocacy group based in Washington, DC.
In a statement, Andrea Meza, Director of Campaigns for the Government Accountability Project, said, “Mr. Borges’ bravery in coming forward to protect the American public’s data is an important step towards mitigating the risks before it is too late.”