Full Report
Jon Brodkin reports: A Social Security Administration (SSA) official alleged in a whistleblower disclosure that DOGE officials created “a live copy of the country’s Social Security information in a cloud environment that circumvents oversight.” Chuck Borges, the SSA’s Chief Data Officer (CDO), “has become aware through reports to him of serious data security lapses, evidently... Source
Analysis Summary
# Incident Report: Unauthorized Copy of Social Security Database to Insecure Cloud
## Executive Summary
An SSA official alleged that DOGE officials orchestrated the creation of a live copy of the entire Social Security database (containing over 300 million Americans' data) in an unsecured cloud environment, circumventing oversight. This action, allegedly taken under the authority of the SSA CIO, represents a severe data security lapse involving highly sensitive PII. The incident came to light via a whistleblower disclosure submitted to Congress and the US Office of Special Counsel.
## Incident Details
- Discovery Date: August 26, 2025 (Date of whistleblower letter disclosure)
- Incident Date: Occurred prior to August 26, 2025
- Affected Organization: Social Security Administration (SSA)
- Sector: Government
- Geography: USA (Implied)
## Timeline of Events
### Initial Access
- Date/Time: Undetermined prior to Aug 26, 2025
- Vector: Authorized access likely misused or elevated permissions granted internally (by direction of SSA CIO).
- Details: Officials working at DOGE (and employed as SSA employees) allegedly copied the SSA database.
### Lateral Movement
- Details: Not explicitly detailed as external network infiltration; movement seems to be the replication of the master database into a separate, insecure cloud environment.
### Data Exfiltration/Impact
- Details: A "live copy" of the country’s entire Social Security information has been created in a cloud environment that "circumvents oversight."
### Detection & Response
- Detection: Chuck Borges, SSA Chief Data Officer (CDO), became aware through reports made to him.
- Response: The Government Accountability Project sent a letter detailing the disclosure to members of Congress and the US Office of Special Counsel on August 26, 2025.
## Attack Methodology
*Note: As this is an alleged insider action circumventing policy based on authority, traditional external attack TTPs may not apply.*
- Initial Access: Internal access leveraging existing SSA employment/authority, possibly directed by SSA CIO Aram Moghaddassi.
- Persistence: Maintaining the copied database in the new cloud environment.
- Privilege Escalation: Exploitation of internal roles/authority to bypass security protocols for mass data replication.
- Defense Evasion: The new cloud environment was specifically chosen or configured to "circumvent oversight."
- Credential Access: Not specified, but required legitimate/elevated access to the primary SSA database.
- Discovery: Internal reconnaissance by the actors to identify and copy the complete database.
- Lateral Movement: Replication of data from the core SSA system to the designated cloud environment.
- Collection: Copying the entire Social Security information database (~300 million records).
- Exfiltration: The data was moved to a separate cloud environment, constituting unauthorized data staging/exfiltration from secure controls.
- Impact: Exposure of PII for over 300 million Americans outside established oversight mechanisms.
## Impact Assessment
- Financial: Not estimated in the source material.
- Data Breach: Massive Personally Identifiable Information (PII) breach potentially encompassing the Social Security numbers and related records of over 300 million Americans.
- Operational: Potential disruption resulting from subsequent investigation and remediation required for the unauthorized cloud copy.
- Reputational: Significant damage to public trust in the SSA and associated government entities (DOGE).
## Indicators of Compromise
*As the incident is based on internal policy violations and unauthorized copying, specific traditional IoCs (IPs/URLs) are not provided, focusing instead on high-level behavioral indicators:*
- Behavioral indicators: Creation of a "live copy" of core national PII database; movement of data to an environment specifically designed to "circumvent oversight."
## Response Actions
- Containment measures: Not detailed, but would necessitate immediate isolation/securing of the unauthorized cloud environment.
- Eradication steps: Deletion/secure destruction of the unauthorized database copy.
- Recovery actions: Remediation of internal access controls and investigation into the operational security lapses.
## Lessons Learned
- Key takeaways: Critical failure in enforcing data governance and oversight, even when access is granted for officially sanctioned external agency (DOGE) work. Reliance on established hierarchy can mask severe security risks if checks and balances are bypassed under senior authority.
- What could have been done better: Implementing mandatory, real-time monitoring and immutable audit logs for mass data transfers, regardless of the authorization level of the initiating user/entity.
## Recommendations
- Prevention measures for similar incidents: Implement stronger access segmentation and data loss prevention (DLP) controls specifically targeting mass exports of PII, irrespective of authorization status. Require secondary, independent technical authorization (separate from CIO sign-off) for creating large-scale live copies of sensitive databases to non-SSA/non-production environments.