A top Social Security Administration official turned whistleblower says members of the Trump administration’s Department of Government Efficiency (DOGE) uploaded hundreds of millions of Social Security records to a vulnerable cloud server. This action put the personal information of most Americans at risk of compromise.
Charles Borges, the Social Security Administration’s chief data officer, said in a newly released whistleblower complaint that other top agency officials signed off on a decision in June to upload a live copy of the country’s Social Security information to a cloud environment that circumvents oversight. Borges had raised concerns about this decision prior to its approval.
The database, known as the Numerical Identification System, contains more than 450 million records. It includes all data submitted as part of a Social Security application, such as an applicant’s name, place of birth, citizenship, and the Social Security numbers of their family members, along with other sensitive personal and financial information.
Borges said members of DOGE, a team of former Elon Musk employees appointed to government to reduce fraud and waste, copied the sensitive database to an agency-run Amazon-hosted cloud server. He described this server as apparently lacking independent security controls to monitor who was accessing the data and how they were using it.
The lack of these security protections violated internal agency security controls and federal privacy laws, according to the complaint. Borges stated that by allowing DOGE to be administrators of the agency’s cloud, the operatives would be able to create publicly accessible services. This could allow public access to the cloud system and any of the sensitive data stored inside.
Borges warned in the complaint that if this information were compromised, the sensitive personally identifiable information on every American could be exposed publicly and shared widely. This includes health diagnoses, income levels, banking information, family relationships, and personal biographic data.
The complaint said any compromise or unauthorized access to the database would have a catastrophic impact on the U.S. Social Security program. A worst-case scenario could potentially require the government to reissue everyone’s Social Security numbers.
A federal restraining order in March initially blocked DOGE staffers from accessing the country’s database of Social Security records. However, the Supreme Court lifted the order on June 6, paving the way for DOGE’s access. In the days that followed, DOGE allegedly worked to seek internal approvals from the agency’s top brass, per Borges’ complaint.
The agency’s chief information officer, Aram Moghaddassi, approved the move to copy the database to the agency’s cloud. He stated he determined the business need was higher than the security risk and that he accepted all risks with the project.
The complaint also says Michael Russo, a senior DOGE operative who previously served as the agency’s chief information officer prior to Moghaddassi but remains at the agency, also approved moving live Social Security data to the cloud.
Borges said he first raised issues internally at the agency but later blew the whistle to urge members of Congress to engage in immediate oversight to address these serious concerns, according to a statement by his attorney.
This is the latest accusation of poor cybersecurity practices by the administration and its representatives, including DOGE, since President Trump took office earlier in January. Since January, members of DOGE have taken sweeping control of most U.S. federal departments and their datasets of citizens’ data.
When reached for comment, Elizabeth Huston, a spokesperson for the White House, would not say if the administration was aware of the complaint and deferred comment to the Social Security Administration.
In an emailed response, Social Security Administration spokesperson Nick Perrine said the agency stores personal data in secure environments that have robust safeguards in place to protect vital information. He added that the data referenced in the complaint is stored in a long-standing environment used by SSA and walled off from the internet, with high-level career SSA officials having administrative access and oversight by the Information Security team. The spokesperson said the agency was not aware of any compromise to this environment.
Data breaches involving federal government data stored in the cloud are rare but not unheard of. In 2023, it was reported that the U.S. Department of Defense publicly exposed thousands of sensitive military emails online due to a security lapse. While the email data was stored in Amazon’s separate cloud dedicated for government customers, a misconfiguration allowed the contents of a military unit’s emails to publicly spill online.