A new Senate Democratic report concludes that the Department of Government Efficiency program DOGE operates outside federal law and creates privacy and cybersecurity risks at three federal agencies: the General Services Administration (GSA), the Office of Personnel Management (OPM) and the Social Security Administration (SSA). The DOGE report, drawn from media reports, legal filings, whistleblower disclosures and staff visits, details the scope and potential consequences of DOGE activity across the agencies.
In one previously unreported whistleblower claim, the SSA risk assessment found that uploading the Numident database – described in the report as a data store containing personal information – could yield a 35% to 65% chance of a data breach with catastrophic effects. The section notes possible widespread PII disclosure and even damage to agency facilities, with potential fatalities, if protections are bypassed. The Numident reference appears in the report via disclosures linked to a Numident entry.
“DOGE isn’t making government more efficient – it’s putting Americans’ sensitive information at risk,” said Michigan Senator Gary Peters, the committee’s top Democrat. “We cannot allow this shadow operation to continue unchecked while millions face identity theft, economic disruption and permanent harm.”
The report recommends stripping all DOGE access to sensitive personal information until agencies certify compliance with federal security and privacy laws such as the Federal Information Security Management Act, and it calls for DOGE employees to complete the same cybersecurity training as other federal workers. OPM officials pushed back, saying the agency safeguards personnel records and that the report recycles unfounded claims about “DOGE teams” that never existed. SSA cited Commissioner Bisignano’s letter to Congress responding to Numident security questions, saying the Numident data has not been accessed or leaked and that the cloud environment cited is a secured, monitored SSA system.
Beyond the core allegations, the report notes that DOGE installed a Starlink network at GSA but would not permit staff to view it, a claim the authors say could help DOGE circumvent IT oversight. It also revisits concerns about a former SSA DOGE employee, John Koval, and the possibility of moving highly sensitive SSA data into an unmonitored cloud environment, warning that foreign adversaries are watching these developments. In a separate Bloomberg article, a DOGE-associated individual described as a teen was fired by a cybersecurity firm for leaking company secrets, underscoring perceived governance risks. The General Services Administration did not respond to requests for comment on the findings.