A top Social Security Administration official turned whistleblower says members of the Trump administration’s Department of Government Efficiency (DOGE) uploaded hundreds of millions of Social Security records to a vulnerable cloud server, putting the personal information of most Americans at risk of compromise.
Charles Borges, the Social Security Administration’s chief data officer, said in a newly released whistleblower complaint published Tuesday that other top agency officials signed off on a decision in June to upload “a live copy of the country’s Social Security information in a cloud environment that circumvents oversight,” despite Borges raising concerns.
The database, known as the Numerical Identification System, contains more than 450 million records containing all of the data submitted as part of a Social Security application, including the applicant’s name, place of birth, citizenship, and the Social Security numbers of their family members, as well as other sensitive personal and financial information.
Borges said members of DOGE, the team of former Elon Musk employees appointed to government under the guise of reducing fraud and waste, copied the sensitive database to an agency-run Amazon-hosted cloud server “apparently lacking in independent security controls,” such as who was accessing the data and how they were using it.
The lack of security protections violated internal agency security controls and federal privacy laws, the complaint alleges.
Borges said by allowing DOGE to be administrators of the agency’s cloud, the DOGE operatives would be able to create “publicly accessible services,” meaning that they could allow public access to the cloud system and any of the sensitive data stored inside.
Borges warned in the complaint that if this information were compromised, “it is possible that the sensitive [personally identifiable information] on every American including health diagnoses, income levels and banking information, family relationships, and personal biographic data could be exposed publicly, and shared widely.”
The complaint said any compromise or unauthorized access to the database would have “catastrophic impact” on the U.S. Social Security program, describing a worst-case scenario as potentially having to reissue everyone’s Social Security numbers.
While a federal restraining order in March initially blocked DOGE staffers from accessing the country’s database of Social Security records, the Supreme Court lifted the order on June 6, paving the way for DOGE’s access.
In the days that followed, DOGE allegedly worked to seek internal approvals from the agency’s top brass, per Borges’ complaint.
The agency’s chief information officer Aram Moghaddassi approved the move to copy the database to the agency’s cloud, saying he “determined the business need is higher than the security risk” and that he accepts “all risks” with the project. The complaint also says Michael Russo, a senior DOGE operative who previously served as the agency’s chief information officer prior to Moghaddassi but remains at the agency, also approved moving live Social Security data to the cloud.
Borges said he first raised issues internally at the agency but later blew the whistle to urge members of Congress to “engage in immediate oversight to address these serious concerns,” according to a statement by his attorney, Andrea Meza, at the Government Accountability Project.
This is the latest accusation of poor cybersecurity practices by the administration and its representatives, including DOGE, since President Trump took office earlier in January. Since January, members of DOGE have taken sweeping control of most U.S. federal departments and their datasets of citizens’ data.
When reached by TechCrunch, Elizabeth Huston, a spokesperson for the White House, would not say if the administration was aware of the complaint and deferred comment to the Social Security Administration.
In an emailed response, Social Security Administration spokesperson Nick Perrine said the agency “stores personal data in secure environments that have robust safeguards in place to protect vital information.”
“The data referenced in the complaint is stored in a long-standing environment used by SSA and walled off from the internet. High-level career SSA officials have administrative access to this system with oversight by SSA’s Information Security team,” the spokesperson added.
The spokesperson said the agency was “not aware of any compromise to this environment.”
Data breaches involving federal government data stored in the cloud are rare but not unheard of. In 2023, TechCrunch reported that the U.S. Department of Defense publicly exposed thousands of sensitive military emails online due to a security lapse. While the email data was stored in Microsoft Azure’s separate cloud dedicated for government customers, a misconfiguration allowed the contents of a military unit’s emails to publicly spill online.
Correction: An earlier version of this story misstated where the DOD’s exposed email was hosted. The story now accurately reflects that the exposed data was hosted on Microsoft’s Azure.
