DOGE SSA Data Security Breach: A Case Study in Government Contractor Access and Insider Threats

Breached Company

Breached Company

6 min read
DOGE SSA Data Security Breach: A Case Study in Government Contractor Access and Insider Threats
Photo by Kanchanara / Unsplash

Executive Summary

A whistleblower complaint filed by Charles Borges, Chief Data Officer at the Social Security Administration (SSA), alleges that Department of Government Efficiency (DOGE) personnel created unauthorized copies of the NUMIDENT database—containing personal information for over 300 million Americans—in cloud environments lacking independent security controls and oversight mechanisms. This case illuminates broader systemic issues in how consulting firms and government contractors access sensitive federal data, particularly regarding foreign nationals, offshore development practices, and insider threat vulnerabilities.

The DOGE Whistleblower Allegations: Key Facts

Background on the Whistleblower

Charles Borges serves as the Chief Data Officer at SSA since January 27, 2025, leading the Office of Analytics, Review, and Oversight. He is responsible for the safety, integrity, and security of public data at SSA, with full visibility requirements into data access, data exchange, and cloud-based environments. Borges is a 22-year Navy veteran who previously worked at the General Services Administration, Office of Management and Budget, and Centers for Disease Control during COVID-19.

The Core Allegations

The whistleblower report details three primary categories of violations:

1. Court Order Circumvention (March 2025)

Following a temporary restraining order issued March 20, 2025 that prohibited DOGE access to SSA data, the report alleges that within 24 hours, "senior career officials at SSA received instructions to undo the court-ordered access restrictions for two DOGE employees." The requested access reportedly included new and expanded privileges beyond what existed before the court order.

2. Unauthorized Database Access

Beginning around March 14, 2025, DOGE officials allegedly received improper access to multiple Enterprise Data Warehouse (EDW) schemas and databases, bypassing the standard Systems Access Management approval process. The access reportedly included both equipment pin access (avoiding user-specific audit trails) and write privileges to sensitive databases.

3. Unsecured NUMIDENT Cloud Environment

The most serious allegation involves DOGE personnel creating "a live copy of the country's Social Security information in a cloud environment" that "apparently lacks any security oversight from SSA or tracking to determine who is accessing or has accessed the copy of this data."

The NUMIDENT database contains:

  • Names of all Social Security card applicants
  • Places and dates of birth
  • Citizenship status
  • Race and ethnicity information
  • Parents' names and Social Security numbers
  • Phone numbers and addresses
  • Other personal identifying information

Security expert Susan Landau of Tufts University called the alleged move "a cowboy act," warning that if bad actors gained access, they could create holistic profiles for impersonation and fraud schemes.

08-26-2025-Borges-Disclosure-Sanitized
08-26-2025-Borges-Disclosure-Sanitized.pdf
416 KB
download-circle

Timeline of Events

June 10, 2025: John Solley requests SSA CIO professionals to create cloud environment for NUMIDENT data transfer

June 11, 2025: Request changes to transferring NUMIDENT to test environment, then to full administrative access

June 12, 2025: Career OCIO official shares formal "Risk Acceptance Request Form" identifying the request as "very high risk"

June 23, 2025: DOGE receives administrative access to cloud environment

June 25, 2025: Michael Russo, when asked to authorize NUMIDENT data transfer despite known risks, responds simply "Approved...."

July 15, 2025: Aram Moghaddassi self-authorizes "Provisional Authorization to Operate" for the cloud environment

The Broader Consulting Landscape: Legitimate vs. Problematic Access

Established Government Consulting Practices

Major consulting firms routinely access sensitive government data under established security frameworks. Deloitte and Palantir recently announced a strategic alliance to develop Enterprise Operating System solutions for government and commercial clients, with Deloitte building "the largest cohort of certified forward deployed engineers (FDE) outside Palantir."

Palantir's platform was designed for security-conscious customers handling financial data, Personally Identifiable Information (PII), Protected Health Information (PHI), Controlled Unclassified Information (CUI), and classified government data, with mandatory encryption, strong authentication, and robust audit logging.

Security Clearance Requirements

Legitimate government contracting positions requiring access to sensitive data typically mandate U.S. citizenship and security clearance eligibility. Job postings for Deloitte's Palantir practice specify requirements for Secret-level government security clearance and emphasize that candidates "must be legally authorized to work in the United States without the need for employer sponsorship."

Security clearances generally require U.S. citizenship, with rare exceptions for foreign diplomats working with the U.S. government. While H1B visa holders may qualify for lower-level Public Trust clearances in specific circumstances, most classified access requires citizenship.

Foreign Influence and Insider Threat Vulnerabilities

Security Clearance Guidelines for Foreign Influence

Under Guideline B of SEAD 4 (Security Executive Agent Directive 4), foreign influence concerns focus on whether foreign connections could make clearance holders vulnerable to coercion, exploitation, or pressure that might compromise classified information.

Security concerns include:

  • Contact with foreign family members, associates, or employees of foreign intelligence entities
  • Substantial business, financial, or property interests in foreign countries
  • Shared living quarters with foreign nationals creating heightened risk
  • Unauthorized association with suspected foreign intelligence operatives

DevSecOps and Offshore Development Risks

The H1B visa program significantly impacts software development, with 75 percent of H1B visas issued for computer-related jobs according to U.S. Citizenship and Immigration Services data. This creates potential vulnerabilities in DevSecOps environments where:

  • Offshore developers may have access to source code repositories
  • Private keys and certificates could be accessed by foreign nationals
  • Development environments often have reduced security controls
  • Code review processes may involve international teams

Documented Insider Threat Cases

Recent insider threat cases highlight ongoing vulnerabilities, including two U.S. Navy sailors charged with providing sensitive military information to China, and IRS contractors maintaining access to sensitive systems despite failing background investigations.

The Commerce Department warns about North Korean IT workers who "obfuscate their nationality and identities" while earning "hundreds of millions of dollars a year by engaging in a wide range of IT development work, including freelance work platforms and cryptocurrency development."

Risk Assessment Framework

Legitimate Consulting Access Controls

Established consulting firms implement multiple security layers:

Classification-based Access Controls (CBAC) requiring specific security clearance markings for sensitive information access

Data governance requirements typically defined by Data Protection Offices, Information Security, Compliance, or Legal functions, including Privacy Impact Assessments and System of Records Notices

Vulnerabilities in Rapid Deployment Models

The DOGE case illustrates risks when normal security protocols are bypassed:

Personnel Vetting: Edward Coristine, nicknamed "Big Balls," was a 19-year-old programmer who became a federal employee at GS-15 level despite having "a lengthy history of facilitating, soliciting, or possibly participating in cybercrime" and being "previously fired from cybersecurity firm Path Networks for allegedly leaking secrets to a competitor."

Technical Controls: Standard security measures including Authority to Operate (ATO) certifications, independent audit mechanisms, and Division of Infrastructure Services (DIS) oversight were allegedly bypassed.

Oversight Mechanisms: Borges reported "no verified audit or oversight mechanisms" existed for monitoring DOGE's data usage.

Implications for Government Data Security

Contractor Access Standardization

The contrast between established firms like Palantir/Deloitte and the DOGE approach highlights the importance of:

  • Comprehensive security clearance vetting processes
  • Mandatory use of established cloud security frameworks
  • Independent oversight of contractor data access
  • Audit trails for all data interactions
  • Clear authorities and approval processes

Foreign National Employment Considerations

Foreign-owned companies seeking U.S. government contracts must establish compliant subsidiaries with American-controlled boards and implement measures to mitigate Foreign Ownership, Control, or Influence (FOCI) concerns.

Recent executive orders have directed agencies to assess whether contractors performed services in foreign countries and evaluate negative impacts of temporary foreign labor hiring practices on federal procurement efficiency and national security.

DevSecOps Best Practices

Organizations should implement:

  • Citizenship verification for personnel accessing sensitive repositories
  • Segregation of development and production environments
  • Multi-person authorization for production data access
  • Comprehensive logging of all system interactions
  • Regular security assessments of offshore development practices

Conclusion

The DOGE whistleblower case represents what Borges characterizes as "escalating federal law violations at the Social Security Administration involving the unauthorized handling of sensitive data affecting over 300 million Americans." While major consulting firms like Palantir and Deloitte operate within established security frameworks requiring citizenship and clearance verification, the allegations suggest DOGE personnel bypassed fundamental security controls.

This case study underscores the critical importance of maintaining consistent security standards across all government contractors, regardless of their political mandate or urgency claims. The potential consequences—including the possible need to reissue Social Security numbers for all Americans—demonstrate why established security protocols exist and must be followed.

As government agencies increasingly rely on consulting firms and offshore development practices, the balance between operational efficiency and security must prioritize protection of citizen data through comprehensive vetting, technical controls, and independent oversight mechanisms.

Read more

The SharePoint Hack That Changed Global Cybersecurity: Inside Microsoft's MAPP Crisis

The SharePoint Hack That Changed Global Cybersecurity: Inside Microsoft's MAPP Crisis

A comprehensive investigation into the 2025 breach that compromised 400+ organizations and forced Microsoft to restructure its vulnerability sharing program Introduction In July 2025, the cybersecurity world witnessed a watershed moment when Chinese state-sponsored attackers exploited critical, unpatched vulnerabilities in Microsoft SharePoint. The breach, which followed shortly after Microsoft shared

By Breached Company
4chan and Kiwi Farms Challenge UK's Online Safety Act in Federal Court: A Test of International Internet Regulation

4chan and Kiwi Farms Challenge UK's Online Safety Act in Federal Court: A Test of International Internet Regulation

Two controversial US-based platforms take legal action against UK regulator Ofcom, claiming constitutional violations and extraterritorial overreach In a significant legal challenge to international internet regulation, 4chan and Kiwi Farms have filed a lawsuit in US federal court against the United Kingdom's Office of Communications (Ofcom) over enforcement

By Breached Company
Warlock Ransomware: The Critical Infrastructure Threat Redefining Global Cybersecurity in 2025

Warlock Ransomware: The Critical Infrastructure Threat Redefining Global Cybersecurity in 2025

A comprehensive analysis of the ransomware-as-a-service operation that has compromised over 400 organizations worldwide through sophisticated SharePoint exploitation Executive Summary The emergence of Warlock ransomware in mid-2025 has fundamentally reshaped the global cybersecurity landscape, representing a new paradigm in the sophistication and scale of ransomware operations. Operating as a ransomware-as-a-service

By Breached Company