John Solly, a software engineer and former member of the so-called Department of Government Efficiency (DOGE), is the DOGE operative reportedly accused in a whistleblower complaint of telling colleagues that he stored sensitive Social Security Administration (SSA) data on a thumb drive and wanted to share the information with his new employer, multiple sources tell WIRED.
Since October, according to a copy of his résumé, Solly has worked as the chief technology officer for the health IT division of a government contractor called Leidos, which has already received millions in SSA contracts and could receive up to $1.5 billion in contracts with SSA based on a five-year deal it signed in 2023. Solly’s personal website and LinkedIn have been taken offline as of this week.
Solly was one of 12 DOGE team members at SSA, where, according to the résumé on his personal website, he supported “other DOGE engineers on initiatives including Digital SSN, Death Master File cleanup,” and “SSN verification API (EDEN 2.0).” The “death master file” is an SSA database containing millions of Social Security records of deceased people and is maintained so that their identities can’t be used for fraud.
The allegation was revealed in a complaint filed to SSA’s internal watchdog first reported earlier this week by The Washington Post, which did not name Solly or Leidos. According to the Post, the complaint was filed with the SSA’s Office of the Inspector General earlier this year and alleges that the former DOGE employee told coworkers he took copies of the SSA’s Numerical Identification System, or NUMIDENT, as well as the “death master file.”
Lambert here: NUMIDENT?! Holy [family blog]!
In the complaint, according to the Post, a whistleblower alleges that the former DOGE employee sought help transferring a set of data from a thumb drive to a personal computer so he could “sanitize” it before uploading it for use at a private-sector company. The former DOGE employee allegedly said that he expected to receive a presidential pardon if his actions were unlawful, the complaint reportedly stated.
Solly “did not share, access, or view any personally identifiable information (PII) maintained by SSA, including SSA’s Death Master File (DMF) and Numerical Identification System (Numident)…” says Seth Waxman, who is representing Solly.
Lambert here: So that’s alright then.
Leidos spokesperson Todd Blecher tells WIRED, “We completed an internal investigation, including employee interviews, and found no substantiation of the assertions against Mr. Solly. Our investigation involved advanced digital forensics that found no evidence that the Social Security Administration data described in a whistleblower complaint is, or ever has been, on Leidos networks.
Lambert here: Rather heavily qualified, if you ask me.
Last August, SSA’s chief data officer, Chuck Borges, filed a different complaint to the US Office of Special Counsel accusing DOGE of wrongfully uploading SSA data, including highly sensitive information on millions of people with Social Security numbers, to an unsecured cloud server. In the complaint, Borges alleged that the actions undertaken by DOGE could put the data at risk of being hacked or leaked.
In Borges’ complaint, he specifically named Solly as a DOGE member who requested that the agency move live NUMIDENT data, which contains millions of Social Security numbers, and upload it into a cloud environment lacking “independent security controls.”
Other DOGE members, including Edward Coristine, Aram Moghaddassi, and Michael Russo were alleged in Borges’ complaint to have taken part in the discussions to move NUMIDENT data.
EDEN, or the Enterprise Data Exchange Network, was originally part of a system to help financial institutions verify the identities of their customers, according to Leland Dudek, former acting SSA commissioner. The EDEN system pulls data from NUMIDENT, which Solly would likely have needed access to in order to work on EDEN. “Sharing things typically goes over a mainframe,” says Dudek. “That’s really not a great way to share data.”
It’s unclear exactly what the EDEN 2.0 project was intended to accomplish, but appears to be an API system to supply real-time Social Security number verification to other government agencies, according to a source familiar with the work.
According to Dudek, the first version of EDEN was built around the same time as another SSA tool, the electronic Consent Based Social Security Number Verification (eCBSV). This is a fraud detection tool that allows financial institutions to check their records against Social Security data, to ensure, for instance, that someone opening a bank account is who they say they are. In order to share that data safely with outside institutions, SSA needed a system that didn’t require mainframe access. EDEN, though not technically part of the eCBSV system, was instrumental to the project.
“The underlying piece that made that work, because you’re making agreements with different commercial entities, and you’re exposing it through an API, that was what the EDEN system was designed to do,” says Dudek.
It appears that EDEN is already being used to share data with other agencies.
Lambert here: On a thumb drive? Are we really to believe that a (relatively) insignificant vendor like Leidos was the only (potential) receiver of stolen DOGE goods?
Add new comment