Whistleblower: DOGE copied data on all people in the USA to the cloud
According to a whistleblower complaint, DOGE employees copied a highly sensitive database into the cloud at the US Social Security Fund. The risk is enormous.
(Image: Skorzewiak/Shutterstock.com)
Employees of the US government organization DOGE, formerly headed by Elon Musk, placed an extremely sensitive database containing social security data on virtually everyone in the United States on an unprotected cloud server in June. This is the claim made by the person responsible for data processing at the Social Security Administration (SSA) in a whistleblower complaint published by the New York Times. Although there is no evidence of unauthorized access, such access would have catastrophic consequences and would possibly force the US government to reassign all social security numbers. The data would also be ideal for mass identity theft.
Hundreds of millions of records
As the CDO of the SSA explains in the complaint to the US Congress, it concerns a database called NUMIDENT, in which all data on applications for a US social security number is compiled. It therefore contains not only the number itself, but also the name, place and date of birth, citizenship, ethnicity, parents' names and social security numbers, telephone number, address and other personal details. Because it covers everyone who has ever received a Social Security number, it is likely to contain nearly 550 million records in total.
Videos by heise
According to the complaint, the request to transfer the database to a cloud environment was made by a DOGE employee in early June. At the behest of US President Donald Trump, the Department of Government Efficiency is tasked with scrutinizing and cutting US government spending and was initially headed by Elon Musk. The application was subsequently amended several times, and a decision was later issued stating that the project was associated with a "high risk". After some back and forth, it was nevertheless approved, according to the description of the process, probably without a final review.
It is not entirely clear why the live copy of the database on the cloud server was needed. According to the complaint, those responsible explained that they wanted to improve the exchange of data between authorities. Once the copy was set up, there was no independent oversight and the usual security procedures were bypassed. In addition, the developers responsible were able to access the database without the necessary approval processes. According to the complaint, the head of IT at DOGE released the copy with the words: "I have decided that the business need is greater than the security risk associated with the installation and I accept all the risks associated with it and its operation."
(mho)
