Tag: DOGE breach

  • Cybersecurity Expert Raises Alarm Over DOGE’s Data Access Amid Concerns Over Public Safety

    Cybersecurity Expert Raises Alarm Over DOGE’s Data Access Amid Concerns Over Public Safety

    A federal judge in Baltimore has recently ruled that the Department of Government Efficiency (DOGE) must purge all non-anonymized data accessed from the Social Security Administration. This ruling underscores significant concerns about data security and privacy, as the judge determined that DOGE could not have access to sensitive Social Security data (Politico).

    Despite this setback, DOGE received approval from an appeals court in Baltimore to access confidential data from various federal departments, including the Treasury Department and the Education Department (AP News). This duality of rulings raises critical questions about the protocols governing data access, especially regarding the potential risks associated with unauthorized data handling.

    Chad Johnson, a cybersecurity expert and assistant professor at the University of Wisconsin-Stevens Point, expressed grave concerns about DOGE’s approach to data security. In an interview with WPR’s Wisconsin Today, Johnson highlighted the dangerous precedent set by allowing DOGE to access sensitive information, warning that it could attract bad actors aiming to exploit these vulnerabilities in federal data systems.

    Johnson compared the situation to the infamous Equifax data breach of 2017, stating that if the information collected by DOGE were mishandled or leaked, it could have similarly devastating consequences. He noted that the unprecedented amount of sensitive data at stake makes the potential for misuse particularly alarming, given the lack of evidence that DOGE is adhering to established security protocols such as the Federal Information Security Management Act (FISMA).

    The ongoing debate reflects a critical tension between the need for data efficiency in federal agencies and the imperative to protect individual privacy. Johnson cautioned against the simplification of complex security measures, framing it as a dangerous sacrifice of privacy for the sake of operational efficiency. He emphasized the need for a foundational commitment to security practices to prevent significant breaches.

    For ordinary citizens concerned about their personal data, Johnson recommends proactive personal cybersecurity practices such as using unique, strong passwords, enabling multi-factor authentication, and being mindful of the information shared online, as the average citizen has limited control over how their data is managed in federal systems.

  • Whistleblower Alleges Data Breach at NLRB Involving DOGE Employees

    Whistleblower Alleges Data Breach at NLRB Involving DOGE Employees

    A whistleblower from the National Labor Relations Board (NLRB) has raised alarming allegations regarding unauthorized data transfers conducted by employees of Elon Musk’s Department of Government Efficiency (DOGE). In a complaint sent to the Senate Select Committee on Intelligence, security architect Daniel J. Berulis detailed how DOGE allegedly siphoned off gigabytes of sensitive agency data using newly created user accounts exempt from standard logging procedures. This unusual incident occurred in early March, coinciding with several blocked login attempts originating from a Russian IP address, which were reportedly trying to access these new accounts.

    Berulis’s complaint describes incidents where DOGE officials allegedly instructed NLRB staff to bypass regular security protocols during the account creation process. These new accounts were granted extreme privileges that allowed them to manipulate and obscure critical data without oversight. According to Berulis, on March 3, the day these accounts were created, a significant uptick in data traffic was recorded, resulting in the transfer of approximately 10 gigabytes of data from NLRB’s NxGen case management system.

    Berulis expressed concern over the potential risks associated with these accounts, noting that the NxGen database contains sensitive information related to union activities and legal proceedings. Multiple login attempts from a suspicious Russian Internet address were detected shortly after the account creation, raising further red flags about the breach’s security implications. His documentation included evidentiary screenshots, emphasizing that HIPAA violations could be a reality due to potential exposure of confidential employee data.

    In response to these alarming claims, NPR reported that the NLRB has maintained that DOGE neither requested nor received access to its systems and their internal review concluded no breach had occurred. However, the whistleblower’s claims have sparked international interest, particularly given the ongoing tensions between the NLRB and major corporations like SpaceX and Amazon, both of which have raised legal challenges against the agency. As the situation develops, Berulis remains determined to seek further investigation, calling on lawmakers to engage Microsoft for additional insight into the suspicious activities surrounding DOGE’s accounts. For additional context on Berulis’s detailed complaint, [read here](https://whistlebloweraid.org/wp-content/uploads/2025/04/2025_0414_Berulis-Disclosure-with-Exhibits.s.pdf).

  • Distinguishing Privacy from Security: Lessons from the DOGE Incident

    Distinguishing Privacy from Security: Lessons from the DOGE Incident

    The recent comments by Connecticut Attorney General William Tong regarding the Department of Government Efficiency’s (DOGE) access to Treasury Department records signal what he termed the largest data breach in American history. This incident highlights a pervasive issue faced by organizations: the misconception that data privacy and security are interchangeable, a conflation that can result in severe consequences for both businesses and consumers.

    Data privacy fundamentally involves the ethical management of personal information, requiring companies to handle data transparently and with explicit consumer consent. Notably, regulations such as the EU’s GDPR, the HIPAA, and the CCPA outline the requirements for data access, sharing, and deletion, safeguarding individuals’ rights. In contrast, data security focuses on protecting information against unauthorized access and fraud through advanced measures like encryption and security audits.

    The DOGE incident serves as a glaring example of why the distinction between data privacy and security is critical. Reports indicate that DOGE allegedly accessed sensitive federal information without proper authorization. This breach was not a matter of collecting data improperly, but rather a failure of adequate security measures. Businesses that emphasize compliance with privacy laws over actual security investments leave themselves vulnerable to incidents like this.

    As organizations continue to grapple with the dual imperatives of privacy and security, it is essential for them to adopt distinct strategies rather than merging them into one. Privacy strategies should concentrate on compliance and ethical data governance, while security must focus on proactive risk management and threat detection. Misaligning these responsibilities can create gaps that malicious entities can exploit, posing risks that could lead to significant legal and financial repercussions.

    Ultimately, companies must clearly define roles within their organizations to optimize their response to security threats. By fostering collaboration between privacy and security teams, conducting regular assessments of both domains, and investing in dedicated security measures, businesses can effectively mitigate risks and maintain consumer trust in an increasingly complex digital landscape.