On August 26, 2025, a whistleblower complaint filed by Charles Borgess, the Chief Data Officer of the Social Security Administration (SSA), set off alarm bells across the nation. According to CNN, Borgess alleged that employees within the Government Efficiency Division had transferred the Social Security records of over 300 million Americans onto a cloud server with minimal security controls or access tracking. This revelation has cast a spotlight on the precarious state of Americans’ most sensitive information—names, Social Security numbers, dates of birth, addresses, citizenship status, parents’ names, and more—now potentially exposed to cyber threats.
“If attackers gain access to this cloud environment, Americans could suffer widespread identity theft, lose vital medical services and food benefits, and the government could be held responsible for reissuing a new Social Security number to every American at substantial cost,” the whistleblower complaint warned. The sheer scale of the risk is staggering. Imagine the government having to issue new Social Security numbers for every American—a logistical and financial nightmare, not to mention the personal chaos for individuals suddenly cut off from essential services.
Borgess, who has served as SSA’s Chief Data Officer since January 27, 2025, described “a disturbing pattern of questionable and risky security access and administrative misconduct.” He voiced his concerns to the agency’s Chief Information Officer, but, as he stated, has not been briefed on any steps to remedy the situation. The lack of transparency and urgency in addressing the problem has only deepened worries among privacy advocates and the general public alike.
According to CNN, the SSA responded on August 26, 2025, stating that all personal data are “stored in secure environments with robust protections” and that the data referred to in the complaint “are stored in an SSA environment that has been in use for a long time and is isolated from the Internet.” The agency emphasized that it takes whistleblower complaints seriously, but offered little detail on any immediate remediation or investigation.
This is not the first time the SSA’s data practices have come under scrutiny. Privacy and data security concerns have grown since the Trump administration permitted the Department of Government Efficiency (DOGE), led by Elon Musk, to integrate with several federal agencies, including the SSA. According to CNN, former officials had already raised red flags about DOGE’s need for access to records and their handling. In fact, a coalition of labor representatives and civil rights groups filed a lawsuit to block DOGE from accessing citizens’ Social Security records, but the Supreme Court, in June 2025, allowed DOGE to review the data as part of a broader effort to root out fraud and modernize the agency’s technology.
Musk, for his part, has repeatedly highlighted the threat of fraud within the agency, noting that some files date back many years. The modernization effort, while intended to improve efficiency and reduce fraud, has inadvertently introduced new vulnerabilities, as the whistleblower complaint demonstrates. The tension between progress and privacy has never been more apparent.
But the government is hardly alone in facing criticism over data security. According to Incogni, both domestic and foreign technology companies are aggressively harvesting Americans’ personal data through mobile applications. Social media and shopping apps, in particular, collect vast amounts of information—often far more than users realize. Some apps use this data to feed algorithms for marketing and advertising, calculating optimal prices based on consumer behavior and, in many cases, leading to unwanted spending. Others share user data with unnamed third parties, compounding the risk of breaches with every additional recipient. And, of course, there’s the ever-present threat of government appropriation of this data, especially when foreign-owned apps are involved.
Incogni’s research, conducted between August 2024 and August 27, 2025, examined the most popular foreign-owned apps downloaded in the US. The results were eye-opening: six out of the ten most popular foreign-owned apps in the US originate from China—TikTok, Temu, Alibaba, Shein, CapCut, and AliExpress. These apps are among the most data-intensive, collecting an average of 18 types of data per user and sharing six types with third parties.
TikTok, for instance, tops the list for data appetite, collecting 24 distinct data types and sharing six categories with third parties. This includes user names, street addresses, and phone numbers. Alibaba, the Chinese B2B commerce app, is not far behind, collecting 20 data categories and sharing six. It can access user-generated content such as files, documents, videos, and photos, along with common identifiers like phone numbers, home addresses, and full names. Temu, while sharing less data, still gathers 18 types of information, including approximate location, the list of installed apps, and user-generated content.
Shein stands out for its aggressive data-sharing practices, sharing 12 of the 17 data types it collects with external entities—the highest share-to-collect ratio among the apps reviewed. Shared data includes phone numbers, names, and photos sent to undisclosed third parties. Shein, AliExpress, and Alibaba all collect email addresses for advertising purposes and share them with third-party marketers, which helps explain the surge in spam from unknown sources that many users experience.
Location data is another area of concern. Temu, AliExpress, and ABPV all share approximate location data with third parties for advertising, while ABPV goes even further by sharing precise location data. Shein, Alibaba, and AliExpress also share user names for advertising, giving external parties a direct identifier to pair with other data points.
“Many of these apps are quietly collecting and sharing personal information like names, addresses, and approximate locations, leaving users extremely vulnerable to third-party breaches,” said Darius Belejevas, Head of Incogni. His warning underscores a growing anxiety: even privacy specialists who read terms of service and privacy policies may not fully grasp the scale of data collection or how this information is disseminated to entities abroad.
The convergence of government mishandling and corporate overreach paints a troubling picture for American privacy. On one hand, the SSA’s internal failings and the integration of new technologies under the banner of efficiency have left the personal data of hundreds of millions exposed. On the other, the relentless appetite of social media and shopping apps—especially those headquartered overseas—means data is being harvested, shared, and monetized on an industrial scale.
For ordinary Americans, the risks are more than theoretical. A breach at the SSA could trigger a cascade of identity theft, disrupting lives and costing billions. At the same time, the silent siphoning of personal data by apps leads to increased spam, targeted advertising, and, potentially, exploitation by foreign actors. The interplay between convenience and privacy has never been more fraught.
As government agencies and technology companies race to modernize, the challenge will be to strike a balance between innovation and security. The whistleblower’s revelations and Incogni’s research serve as a stark reminder: when it comes to personal data, vigilance is not optional—it’s essential.
