Senate Finance Committee Chairman Mike Crapo, R-Idaho, is asking the Social Security Administration for information following allegations that Department of Government Efficiency employees uploaded a live copy of confidential SSA information into a vulnerable cloud server.
In a letter addressed to SSA Commissioner Frank Bisignano, Crapo wrote that “given the large amount of sensitive data under SSA’s control, I consider the protection and security of [personally identifiable information] held by the agency to be a matter of first importance.”
The information at the center of the whistleblower’s complaint is a copy of the SSA database containing personal information for each person issued a Social Security number, including names, birthdays, race and ethnicity and more.
The whistleblower, SSA’s former chief data officer Chuck Borges, detailed in his complaint that the cloud environment housing the data lacked security controls like independent tracking of who has access to the data. Its creation “potentially violated multiple federal statutes,” he alleged.
Now, Crapo wants an immediate answer from SSA on if the data has been leaked or hacked, given the “seriousness” of the allegations.
An agency spokesperson told Nextgov/FCW in a statement that, “we are not aware of any compromise to this environment and remain dedicated to protecting sensitive personal data.”
Borges resigned from his post in late August, just days after submitting his disclosure, saying that the agency’s actions “make my duties impossible to perform legally and ethically” and “have caused me serious attendant mental, physical, and emotional distress.”
The senator wants additional information within two weeks on what SSA did upon receiving concerns from Borges, and how the agency assessed the risk that came with making a copy of the database — and if this was different from normal risk assessment processes.
According to Borges’ complaint, the reason for creating the database copy was to improve how SSA exchanges data. President Donald Trump issued an executive order focused on improving cross-agency data sharing for the sake of fraud prevention in March.
The SSA spokesperson said that “SSA stores all personal data in secure environments that have robust safeguards in place to protect vital information.”
“The data referenced in the complaint is stored in a long-standing environment used by SSA and walled off from the internet. High-level career SSA officials have administrative access to this system with oversight by SSA’s Information Security team,” they continued, noting that Bisignano and the agency “take all whistleblower complaints seriously.”
How DOGE is accessing and using government data within and beyond SSA has been a concern for Democrats and privacy experts for months. Courts temporarily blocked DOGE’s access to sensitive SSA data in the spring, although the Supreme Court overruled that decision in June.
Crapo’s missive follows a request from Democrats on the Finance Committee last week for the him to call an oversight hearing focused on SSA, which has been scrutinized for customer service issues and been the subject of misleading fraud claims by DOGE and administration officials. SSA databases have also been used for the administration’s immigration agenda.
