The Department of Government Efficiency put the personal data of millions of Americans, including Social Security numbers, on a vulnerable server in June, according to a new whistleblower complaint.
The report, filed by the chief data officer for the Social Security Administration (SSA), Charles Borges, alleges that the actions of multiple DOGE staffers “constitute violations of laws, rules, and regulations, abuse of authority, gross mismanagement and creation of a substantial and specific threat to public health and safety.”
Borges' complaint accuses SSA Chief Information Officer Aram Moghaddassi, a longtime ally of Elon Musk, of violating agency policies to “create a live copy of the country’s Social Security information in a cloud environment that circumvents oversight,” in violation of multiple federal statutes.
The file contains identifying information of more than 300 million Americans, according to the complaint, including records of all Social Security Numbers issued by the federal government and sensitive details required to apply for one — making it a gold mine for potential nefarious actors.
“Should bad actors gain access to this cloud environment, Americans may be susceptible to widespread identity theft, may lose vital healthcare and food benefits, and the government may be responsible for re-issuing every American new Social Security Number at great cost,” Borges wrote in his complaint, which established escalating violations of federal law.
DOGE staffers were given “improper and excessive access” to multiple databases with sensitive information in March, the complaint says. A federal judge blocked them from accessing SSA data that month, but the Supreme Court overturned that ruling in June.
Following the high court’s ruling, DOGE staffers requested to move the SSA's database, known as "Numident," to a private cloud server that only DOGE personnel could access “without any independent security or oversight mechanisms in place in violation of laws and creating enormous vulnerabilities," the complaint said.
Numident (numerical identification system) contains Social Security numbers as well as an individual's name, address, place of birth, their parents’ names and other personal data.
An official agency security assessment at the time, which is cited in the complaint, described copying the database to the server as “high-risk” given that “most security exposures and breaches occur within development environments due to reduced control measures and oversight.” The assessment warned of “catastrophic impact” to Social Security beneficiaries and programs if the database were breached.
“I have determined the business need is higher than the security risk associated with this implementation and I accept all risks,” Moghaddassi wrote in a July 15 memo, the complaint says.
Social Security Administration spokesperson Nick Perrine said the agency takes all whistleblower complaints seriously and maintained that the data referred to in the complaint is "walled off from the internet" and accessible to high-level career officials with proper oversight.
“We are not aware of any compromise to this environment and remain dedicated to protecting sensitive personal data,” Perrine said in a statement.
The White House referred all inquiries to the Social Security Administration.
As of late June, the SSA had “no verified audit or oversight mechanisms” to monitor DOGE’s access to or use of the sensitive data within the unsecured cloud environment, according to Borges.
“Be sure to thank Donald Trump, JD Vance and their stooges if your ID now gets stolen thanks to their stupidity,” Sen. Ron Wyden, of Oregon, the ranking Democrat on the Senate finance committee, posted on X in response to the report.
Borges has offered to meet with members of Congress to discuss his disclosures.
Andrea Meza, an attorney for Borges with the Government Accountability Project, said her client is publicly raising the alarm “out of a sense of urgency and duty” after his internal concerns went ignored.
“Mr. Borges’ bravery in coming forward to protect the American public’s data is an important step towards mitigating the risks before it is too late,” Meza said in a statement.
CORRECTION (Aug. 26, 2025, 6:01 p.m. ET): A previous version of this article misidentified Borges’ lawyer. It is Andrea Meza, not Andrew Meza.
