A whistleblower complaint filed by the Government Accountability Project alleges that Donald Trump’s DOGE cost-cutting unit duplicated the NUMIDENT database in an unauthorized cloud environment, potentially exposing the records of every American, according to the filing.
The complaint, submitted on behalf of Social Security Administration Chief Data Officer Charles Borges, accuses DOGE of moving aggressively and often without regard to established protocols, congressional oversight or the law. Borges has held the SSA post since January after more than 30 years in government IT, including 22 years in the U.S. Navy.
The filing contends that DOGE copied the NUMIDENT database, which contains data from Social Security card applications, into a test cloud environment that was not managed by the SSA and lacked independent security controls. The copy reportedly occurred in June, with administrator access limited to two DOGE employees and no visibility for SSA administrators or external auditors.
The complaint further alleges that the cloud environment lacked verified audit or oversight mechanisms and that no one outside DOGE could see the code running against the data. It warns that, if malicious actors gained access, the consequences could include widespread identity theft, loss of vital benefits, and the potential need to re-issue Social Security Numbers at substantial cost.
In addition to the NUMIDENT issue, Borges’ filing describes three instances of alleged “systemic data security violations” and possible violations of SSA security protocols and federal privacy laws, including claims that DOGE officials were granted improper and excessive access to the SSA’s enterprise data warehouse beginning in March. The complaint asserts that access bypassed the SSA’s normal access-management systems and included generic device-level credentials that were not tied to individual users. The filing notes that a judge had previously barred DOGE from SSA system access in April, but alleges that access restrictions were circumvented shortly thereafter.
The SSA told The Register that it was not aware of any NUMIDENT compromise and that it maintains secure environments with safeguards to protect personal data, including a claim that the referenced data is stored in an environment “walled off from the internet”. The agency declined to comment further on ongoing investigations, saying it would await guidance from the Office of Special Counsel (OSC).
The whistleblower complaint is being reviewed by the OSC, which has 45 days to determine next steps before deciding whether to hand the matter to the SSA for its own investigation. The OSC did not respond to requests for comment for this story. For background on the complaint and related matters, see the GAP press release here: GAP press release.