Full Report
The filing was part of a case brought by state attorneys general seeking to block DOGE access to sensitive information. The post DOGE staffer violated security policies at Treasury Department, court filing shows appeared first on CyberScoop.
Analysis Summary
# Incident Report: Unauthorized PII Disclosure by DOGE Staffer at Treasury Department
## Executive Summary
A staffer from the Department of Government Efficiency (DOGE), Marko Elez, improperly shared a spreadsheet containing sensitive personal information (PII) from the Treasury Department with external General Services Administration (GSA) officials. This action violated BFS security policies requiring encryption and prior transmission approval, leading to concerns about hasty onboarding processes and inadequate security safeguards for DOGE access to Treasury records, despite the PII being deemed "low risk" without further personal identifiers.
## Incident Details
- Discovery Date: Not explicitly stated, but discovered prior to the court filing in March 2025 via internal review/documentation.
- Incident Date: Prior to Marko Elez's resignation in February (date not specified).
- Affected Organization: U.S. Treasury Department, Bureau of the Fiscal Service (BFS).
- Sector: Government (Financial/Executive Branch).
- Geography: Washington D.C. Area (Implied, based on federal agencies).
## Timeline of Events
### Initial Access
- Date/Time: Unknown (Occurred while Marko Elez was employed by DOGE and working with Treasury data).
- Vector: Insider misuse/Policy violation by an authorized staffer.
- Details: DOGE staffer Marko Elez distributed a spreadsheet containing PII (names only) to two GSA officials.
### Lateral Movement
- Not explicitly referenced in the context of external threat actors; the movement was limited to internal/authorized personnel sharing data outside policy guidelines.
### Data Exfiltration/Impact
- Data Exfiltration: A spreadsheet containing personally identifiable information (names) was shared externally.
- Impact: Violation of BFS PII distribution policies, raising concerns about the security oversight of the DOGE team onboarding process within Treasury systems.
### Detection & Response
- Detection: The improper sharing was revealed through declarations filed by David Ambrose (Treasury CSO/CISO) as part of ongoing litigation.
- Response Actions: The staffer (Marko Elez) resigned in February following the surfacing of unrelated racist social media posts. The Treasury defended the security of the data, noting the PII was low-risk, but the plaintiffs characterized the incident as confirming existing security concerns.
## Attack Methodology
*Note: This was an insider policy violation, not a typical external cyberattack, therefore many MITRE ATT&CK categories are not applicable.*
- Initial Access: Authorized insider access (DOGE staffer onboarding at Treasury).
- Persistence: Not Applicable.
- Privilege Escalation: Not Applicable.
- Defense Evasion: Not Applicable (Action was documented internally, potentially unnoticed until reviewed).
- Credential Access: Not Applicable.
- Discovery: Internal reliance on data provided through authorized access.
- Lateral Movement: Sharing via unauthorized distribution of a spreadsheet to two GSA officials.
- Collection: Pre-existing access to PII data through the DOGE engagement.
- Exfiltration: Distribution of the spreadsheet via email/other means (unspecified) without encryption or approval.
- Impact: Policy violation leading to exposure of PII.
## Impact Assessment
- Financial: Not disclosed/Not applicable in terms of direct remediation costs mentioned.
- Data Breach: Personally Identifiable Information (PII), specifically names, was shared. Described as "low risk PII" because it lacked identifiers like SSNs or birth dates.
- Operational: The revelation complicated ongoing litigation regarding DOGE's overall access and stability within Treasury systems.
- Reputational: Negative attention drawn to the security practices of DOGE and the Treasury Department during onboarding.
## Indicators of Compromise
Due to the nature of the incident (internal policy violation), specific malicious IOCs were not reported.
- Network indicators: None reported (Sharing method unspecified, but likely internal email/secure file transfer).
- File indicators: Spreadsheet containing names (PII).
- Behavioral indicators: Staffer distributing sensitive data without encryption or prior approval, contrary to BFS policy.
## Response Actions
- Containment measures: The staffer resigned in February (unrelated to this specific PII leak, but potentially mitigating future direct access).
- Eradication steps: Not detailed, but the context implies internal review of appropriate safeguards for DOGE team members.
- Recovery actions: Not detailed, but plaintiffs argued that adequate security safeguards are still lacking for the replacement staffer (Ryan Wunderly).
## Lessons Learned
- Insider control failures remain a critical risk, even when data exposure is deemed "low risk."
- Lack of adherence to established protocol (encryption, prior approval) demonstrates a failure in policy enforcement and situational awareness by personnel handling sensitive data.
- The "rushed and chaotic nature" of the DOGE onboarding process, cited by the Court, directly contributed to security lapses.
## Recommendations
- Immediately implement stricter enforcement mechanisms for data transmission policies, especially regarding PII distribution by temporary or external staff accessing agency systems.
- Mandate mandatory, refreshed security training focused specifically on data handling, encryption requirements, and authorization procedures for all personnel assigned to inter-agency task forces (like DOGE at Treasury).
- Clarify and enforce strict reporting lines and supervision for all assigned personnel working outside their primary agency structure to ensure accountability.