What occurs when the country’s most sensitive database is transitioned into a risky cloud environment while thousands of its protectors are let go? During the Trump administration’s Department of Government Efficiency (DOGE), the Social Security Administration (SSA) was transformed according to insiders who characterize it as technically irresponsible as well as emotionally catastrophic. Charles Borges, the former chief data officer at the agency, made a whistleblower complaint about DOGE officials duplicating the Numerical Identification System (Numident) a master file with more than 300 million Americans’ personal data into a private part of SSA’s Amazon Web Services environment. This copy, he explained, contained many fewer controls than SSA’s production environment in normal times, providing a potential opportunity for mass identity theft.
The Numident database is more than an inventory of Social Security numbers. It includes names, dates and locales of birth, nationality status, race and ethnicity, parents’ names, addresses, and in a few instances banking and medical information. Internal SSA cybersecurity employees allegedly classified the move to replicate this dataset as “very high risk,” citing that unauthorized access might force the government to resupply Social Security numbers across the country. In an internal risk assessment made on June 16, officials advised that “production data should not be used” in such a setting.
SSA Commissioner Frank Bisignano challenged the claims in a letter to Senate Finance Chairman Mike Crapo, saying that the information is in “a secured server in the agency’s cloud infrastructure” and is “continuously monitored and overseen SSA’s standard practice.” He claimed there was no evidence Numident information was “accessed, leaked, hacked, or shared in any unauthorized fashion.” But former acting commissioner Leland Dudek did affirm that DOGE-used cloud server was “too little secured” and attested that he never approved the data transfer.
The controversy reveals the presence of a deeper problem: the security standards for cloud infrastructure across federal agencies. Government systems that process personally identifiable information are supposed to adhere to robust standards under the Federal Risk and Authorization Management Program (FedRAMP), such as multi-layer encryption, role-based access control, and independent security audits. Borges argues the environment linked to DOGE did not have independent monitoring and did not achieve these standards. As reported by Andrea Meza of the Government Accountability Project, the arrangement lacks independent security, monitoring and oversight and raises serious concerns about the vulnerability it causes for nearly every American’s data.
The scandal took place against the backdrop of heavy-handed staff reductions. DOGE cut 7,000 SSA jobs roughly 12 percent of the agency’s workforce including programmers and cyberexperts essential to having secure systems. Combined with hiring freezes and office closings, the layoffs drove workloads to the breaking point. Borges recounted an office environment where “I cannot count how many employees I saw cry, and that is at all levels of the agency, from executives downward.”
From a technology operations standpoint, these reductions undermine the human layer of security. Even the most advanced encryption and intrusion detection technology needs experienced people to set up, watch for, and defend against threats. Cutting experienced staff raises the likelihood that anomalies go unnoted or unresolved. The SSA’s use of old software some tracing back to the early 1980s makes the challenge even greater since fewer programmers are familiar with its 60 million lines of code.
Risk assessment tools in large-scale government IT systems generally include ongoing vulnerability scanning, penetration testing, and threat modeling based on scenarios. Here, SSA press officer Barton Mackey stated that claims of the whistleblower “hinge on a risk assessment prepared for a project that never happened,” claiming that Numident data was never put into a development or test environment. But the whistleblower and internal documents indicate that a “Provisional Authorization to Operate” was issued in July, with SSA’s CIO Aram Moghaddassi affirming, I accept all risks associated with this implementation and operation.
The stakes are high. As Social Security analyst Caroline Raker cautioned, “If these allegations are proven true, millions of Americans with Social Security numbers could face devastating risks including identity theft, financial fraud, and long-term privacy breaches.” Finance analyst Michael Ryan put the gravity into perspective: “Bottom line: This isn’t a privacy debate; it’s a financial security crisis. Every retiree, every disability beneficiary, every working American has skin in this game.”
For cybersecurity practitioners, the episode is a case study in where governance choices, personnel levels, and technical design cross to decide system resilience. A secure deployment of cloud can’t be reduced to mere location; it needs strict compliance to encryption protocols, fine-grained access controls, and independent monitoring all supported by a stable workforce qualified to counter incidents. Without these, even a “walled off” system can be a point of failure.
