A senior data officer has accused DOGE officials of uploading the entire U.S. Social Security database to an unprotected cloud server, triggering national security concerns.
What happened
A whistleblower has accused the Department of Government Efficiency (DOGE) of uploading a live version of the Social Security Administration’s (SSA) core database to an unsecured cloud environment, exposing the personal records of hundreds of millions of Americans. The report, published by The New York Times, names SSA’s Chief Data Officer, Charles Borges, as the source of the complaint.
The database, known as Numident (Numerical Identification System), links to every Social Security number issued since 1936 and contains sensitive information such as full names, dates of birth, places of birth, parental names, race, and sex. The alleged upload occurred in June and bypassed standard independent security monitoring.
Going deeper
According to the whistleblower disclosure filed with the U.S. Office of Special Counsel and congressional committees, the decision to transfer the data was approved internally by DOGE leadership, despite warnings. The data was stored in an internal DOGE-controlled server within the cloud, lacking the required external oversight.
Experts are warning that the exposed database could be a target for bulk data theft or stealth manipulation campaigns. The disclosure suggests the breach could result in massive identity theft, loss of benefits, and possibly require the reissuance of Social Security numbers nationwide.
Cybersecurity expert Pete Luban of AttackIQ said the government must now be prepared to defend the system against threat actors who may already be scanning for access. Gabrielle Hempel of Exabeam added that cloud systems are not secure by default, and failure to separate roles between oversight and administration is a major flaw.
What was said
In response to the allegations, an SSA spokesperson stated that personal data remains stored in “secure environments” with “robust safeguards,” and there is no current evidence that SSA records have been compromised. However, experts noted that the issue lies in how DOGE managed a copy of the database, not SSA’s own infrastructure.
Mayank Kumar, an AI engineer at Deep Tempo, outlined the significance of exposing a live version of Numident, as the constantly updated nature of the data increases the risk of ongoing exploitation. He warned that revoking and reissuing SSNs, while technically possible, would lead to long-term societal and administrative disruption.
FAQs
What is Numident, and why is it important?
Numident is the SSA’s master file of all Social Security number holders. It includes SSNs and extensive personal details like birth records and parental information, making it a core identity dataset in the U.S.
What is the Shared Responsibility Model in cloud security?
It's a security framework used by cloud providers like AWS, where the provider secures the infrastructure, but customers are responsible for securing their own data, access controls, and configurations.
Why is storing a “live copy” of data riskier than a static archive?
A live dataset is continuously updated and accessed, expanding the attack surface and increasing the likelihood of unnoticed tampering or data theft over time.
Could SSNs really be reissued to everyone?
Technically, yes, but doing so would disrupt financial systems, identity verification, healthcare, and government services. It’s a last-resort scenario with massive downstream effects.
What is segregation of duties, and why does it matter in cybersecurity?
Segregation of duties means separating control and oversight roles to prevent conflicts of interest or unchecked power. In cybersecurity, this reduces the risk of insider threats or unmonitored changes to sensitive systems.
Farah Amod
%20-%202024-10-29T161142.374.jpg)
