On August 26, 2025, a whistleblower complaint sent shockwaves through Washington, D.C., revealing that the Department of Government Efficiency (DOGE) had uploaded the Social Security information of more than 300 million Americans to a vulnerable cloud environment. The complaint, filed by Charles Borges, Chief Data Officer (CDO) of the Social Security Administration (SSA), has ignited urgent questions about government data security, internal oversight, and the potential consequences for the American public.
According to the Government Accountability Project, which submitted the protected whistleblower disclosure to Congress and the Office of Special Counsel, DOGE officials employed by the SSA created a live copy of the entire country’s Social Security information in a cloud environment that lacked any verified oversight or audit process. The NUMIDENT database in question is no ordinary file—it contains every detail submitted in an application for a Social Security card: names, dates and places of birth, parents’ names, addresses, phone numbers, even citizenship status. With this treasure trove of sensitive data, the stakes could hardly be higher.
“This vulnerable cloud environment is effectively a live copy of the entire country’s Social Security information from the Numerical Identification System (NUMIDENT) database, that apparently lacks any security oversight from SSA or tracking to determine who is accessing or has accessed the copy of this data,” the Government Accountability Project wrote on behalf of Borges in its complaint, as reported by The New York Times.
The complaint warns in stark terms: if bad actors were to access this cloud environment, Americans could face widespread identity theft, lose vital healthcare and food benefits, and the government might be forced to re-issue every Social Security Number in the country—a logistical and financial nightmare. “Should bad actors gain access to this cloud environment, Americans may be susceptible to widespread identity theft, may lose vital healthcare and food benefits, and the government may be responsible for re-issuing every American a new Social Security Number at great cost,” the complaint cautioned.
Borges, who began his tenure as SSA’s CDO on January 27, 2025, is no stranger to data analytics and federal bureaucracy, having previously served at the General Services Administration, Centers for Disease Control and Prevention, and Office of Management and Budget. His responsibilities at SSA include ensuring the safety, integrity, and security of public data—a task that now appears to have been severely compromised.
The origins of the crisis trace back to DOGE’s founding in January 2025, when its officials began seeking access to Social Security data, ostensibly to address claims of fraud. Resistance was swift: a lawsuit filed earlier this year resulted in a temporary restraining order on March 20, 2025, halting DOGE’s access to the data. That injunction remained in effect until June 6, 2025. But the legal tide soon turned. In June, the Supreme Court overturned the lower court’s decision, siding with DOGE and granting the efficiency unit access to SSA’s records.
It was in the wake of this Supreme Court ruling that the chain of events described in Borges’s complaint began to unfold. According to Axios, a DOGE software engineer almost immediately started discussing the idea of opening up the NUMIDENT database to a private cloud server. Despite warnings from some SSA executives about the risks, the proposal was ultimately approved. The complaint details how DOGE officials, under the authority of SSA Chief Information Officer Aram Moghaddassi, granted themselves permission to copy the data, sidestepping normal review and approval procedures.
Shortly after the Supreme Court’s decision, a “Risk Acceptance Request Form” was circulated among top officials, flagging the transfer of NUMIDENT data as “high-risk.” Nevertheless, less than two weeks later, administrative access to the cloud environment was approved. The issue was then escalated to Michael Russo, a DOGE-affiliated official who briefly served as SSA’s CIO in February 2025. Russo greenlit the transfer request. In a further move, Moghaddassi requested provisional authorization to operate the cloud project, arguing that “the business need is higher than the security risk.”
Borges’s internal disclosures in August 2025 painted a picture of gross mismanagement, abuse of authority, and a substantial threat to public health and safety. He argued that the approval of the cloud environment, lacking independent security or oversight mechanisms, potentially violated the law. His attorneys stated, “Mr. Borges raised concerns to his supervisors about his discovery of a disturbing pattern of questionable and risky security access and administrative misconduct that impacts some of the public’s most sensitive data. Out of a sense of urgency and duty to the American public, he is now raising the alarm to Congress and the Office of Special Counsel, urging them to engage in immediate oversight to address these serious concerns.”
The potential fallout is staggering. The NUMIDENT database is not only foundational to Social Security benefits but also underpins countless other government services, from healthcare to food assistance. As Borges’s complaint notes, a breach could force the government to re-issue every Social Security Number—an unprecedented and costly undertaking. One of Borges’s superiors even acknowledged this risk, saying the SSA might have to re-issue numbers to all holders if the worst were to happen.
In the midst of the uproar, the SSA has tried to reassure the public. On August 26, 2025, a spokesperson for Commissioner Frank Bisignano stated, “SSA stores all personal data in secure environments that have robust safeguards in place to protect vital information. The data referenced in the complaint is stored in a long-standing environment used by SSA and walled off from the internet. High-level career SSA officials have administrative access to this system with oversight by SSA’s Information Security team. We are not aware of any compromise to this environment and remain dedicated to protecting sensitive personal data.” The agency further emphasized that it takes all whistleblower complaints seriously.
Still, critics and privacy advocates remain unconvinced. The complaint’s publication has reignited debates over how federal agencies handle Americans’ most sensitive information and whether government “efficiency” initiatives can come at the cost of security. Earlier in 2025, SSA began using its data to assist with immigration enforcement, raising new questions about the scope and intent of DOGE’s access. For many, the lack of clarity about why DOGE needed a live copy of the NUMIDENT database in a private cloud only deepens the unease.
As of the complaint’s filing, Borges had yet to receive any response from DOGE-affiliated SSA staff regarding his security concerns. The Government Accountability Project, which has advocated for whistleblowers since 1977, praised Borges’s decision to come forward as “an important step toward mitigating the risks before it is too late.”
The story is far from over. Calls for congressional oversight and independent investigation are mounting, with lawmakers and watchdogs alike demanding answers. For now, the fate of America’s Social Security data—and the public trust in government stewardship of that data—hangs in the balance.