Senate staff probes DOGE, finds locked doors and windows covered with trash bags
Pay no attention to the DOGE behind the curtain
Democratic report describes Social Security risk and secretive DOGE offices.
A protest against President Donald Trump and Elon Musk in New York on February 19, 2025.
Credit:
Getty Images | Pacific Press
Multiple whistleblowers alleged that DOGE uploaded a highly sensitive Social Security Administration (SSA) database to an unmonitored cloud environment, according to a report by Senate Democratic staff. The staff report describes an investigation into DOGE activities at three agencies, including a site visit at the General Services Administration (GSA) in which DOGE officials appeared to be hiding certain areas from view.
As we reported last month, then-SSA Chief Data Officer Chuck Borges alleged that DOGE officials created “a live copy of the country’s Social Security information in a cloud environment that circumvents oversight.” At least one other whistleblower has apparently made the same allegation.
Whistleblowers, including Borges, alleged “that Edward Coristine, the 19-year-old DOGE staffer who was previously fired from a job for leaking company data to a competitor, and other DOGE personnel had been granted permission to move highly sensitive SSA data into an unmonitored cloud environment,” the Senate Democratic report said. “The whistleblowers said that DOGE has uploaded a live copy of NUMIDENT, which contains highly sensitive personal data on anyone who has held a social security number, including every American. This includes social security numbers (SSNs), place and date of birth, work permit status, and parents’ names, among other sensitive personal information, for all Americans, to a cloud environment.”
SSA Chief Information Officers Michael Russo and Aram Moghaddassi, who are described as “DOGE-affiliated,” allegedly “granted approval for the data move despite a June 12, 2025 internal risk assessment flagging a high level of risk and potentially catastrophic impact to SSA beneficiaries and SSA programs absent additional controls to safeguard against unauthorized access,” the report said.
That internal risk assessment by SSA employees “evaluated the likelihood of such catastrophic impact to be between 35 and 65 percent,” with the potential for widespread disclosure of personally identifiable information, the report said.
Windows “hastily covered with black trash bags and tape”
Democratic staffers investigated DOGE activities at the SSA, GSA, and Office of Personnel Management (OPM), resulting in the report written by staff for Democrats on the Senate Homeland Security & Governmental Affairs Committee. The report criticized the agencies for a lack of cooperation.
“None of the agencies have allowed meetings with representatives from agency DOGE teams. In the DOGE spaces staff were permitted to view, armed guards controlled access to work and living spaces, rooms were locked, and office windows appeared to have been hastily covered with black trash bags and tape,” the report said.
At the GSA building, “officials refused to show staff at least six offices that GSA had allowed DOGE to convert into bedrooms,” and refused to show staff the agency’s Starlink broadband equipment, the report said. In another instance described by the report, “GSA officials said they did not have the key to open a locked room that had windows covered with black paper, trash bags, and tape. When staff asked why the most senior officials in offices charged with building management and security could not open an office door, GSA could not provide an answer.”
The report said that during a site visit at the SSA building, the DOGE workspace was guarded by armed security. “SSA officials providing the tour confirmed that this level of security was unusual,” the report said. “When staff asked why the additional security for the DOGE workspace was needed, Mr. Callahan said that DOGE staff were concerned about threats to their safety. Staff asked whether these were direct threats and whether officials informed law enforcement. Officials explained that there had not been a specific threat, rather that some DOGE staff felt threatened based on a communication with an SSA employee that ‘included cursing.'”
Aside from the security guard, the DOGE offices appeared to be empty on a Thursday afternoon, the report said. Senate staff were told “that DOGE staff had telework agreements with the agency. SSA officials confirmed that DOGE were the only individuals who had this approved telework structure in the entire CIO’s office. SSA officials could not answer questions about the telework agreements, including a reason for the telework exception and who approved the agreements.”
Sen. Gary Peters (D-Mich.), the Homeland Security & Governmental Affairs Committee’s top Democrat, said that “DOGE isn’t making government more efficient—it’s putting Americans’ sensitive information in the hands of completely unqualified and untrustworthy individuals. They are bypassing cybersecurity protections, evading oversight, and putting Americans’ personal data at risk.”
Agencies didn’t answer many questions, report says
SSA Commissioner Frank Bisignano previously denied the whistleblower allegations in a letter to Senate Finance Committee Chairman Mike Crapo (R-Idaho). The cloud environment “is actually a secured server in the agency’s cloud infrastructure which historically has housed this data and is continuously monitored and overseen—SSA’s standard practice,” the letter said.
The Senate Democratic staff report said the agencies did not answer many of the questions posed during the investigation:
In response to these questions, senior officials at SSA, GSA, and OPM all failed to provide information about who was in charge; what conduct DOGE teams were engaged in; and what data those teams had been given access to, including the authorities and restrictions guiding their access. None of the agencies could answer simple questions about organizational charts and employee roles. During oversight trips, GSA and OPM would not even directly acknowledge the existence of their DOGE teams—despite the fact that Executive Order 14158 requires each agency to have a DOGE team comprised of at least four people. At the OPM site visit, officials provided staff with information that directly contradicted court documents filed on the agency’s behalf… None of the agencies have responded to staff’s follow-up questions, including whether they are in compliance with federal law.
The Senate staff report said that OPM’s “political leadership were determined to deny any existence of DOGE at the agency,” despite evidence to the contrary. When staff visited OPM, offices were mostly empty and “leadership had difficulty answering a series of basic questions about the agency’s organization and staffing,” the report said.
When contacted by Ars today, the SSA did not provide any new response to the Senate staff report but instead pointed us to the Bisignano letter that we wrote about last week.
“I can confirm, based on the agency’s thorough review, that neither the Numident database nor any of its data has been accessed, leaked, hacked, or shared in any unauthorized fashion,” Bisignano wrote in the letter. “SSA continuously monitors its systems for any signs of unauthorized access or data compromise, and we have not detected any such incidents involving the Numident database.”
We contacted the GSA and OPM today and will update this article if they provide a response.
Report warns adversaries could hack database
While there’s no reported breach, the Senate Democratic report warned that the SSA’s cloud environment could be hacked by foreign adversaries, including “Russia, China, and Iran, who regularly attempt cyber attacks on the US government and critical infrastructure.”
The report urged the Trump administration to “immediately shut down the new cloud environment at SSA that contains NUMIDENT data,” and take other actions such as revoking DOGE access to personal data “until agencies certify that all agency personnel are in compliance with the Federal Information Security Management Act (FISMA), the Privacy Act, the Federal Records Act.” But Democrats’ ability to influence the administration is limited at best, particularly with Republicans holding majorities in both the House and Senate.
DOGE sought access to Social Security data as part of an effort to uncover evidence of fraud. A federal judge wrote in March that DOGE “is essentially engaged in a fishing expedition at SSA, in search of a fraud epidemic, based on little more than suspicion.” In June, the Supreme Court allowed DOGE to access SSA records, overturning lower-court decisions that imposed some limits on data access.
Jon is a Senior IT Reporter for Ars Technica. He covers the telecom industry, Federal Communications Commission rulemakings, broadband consumer affairs, court cases, and government regulation of the tech industry.
