The Government Accountability Office examined access that a pair of DOGE staffers had to Bureau of the Fiscal Service payment systems from Jan. 20-April 11, 2025. The audit aimed to determine what the DOGE duo planned to do with BFS systems, and if they followed Treasury protocols on data security. DOGE’s access to those systems has been the subject of litigation.
Preliminary results of GAO’s “ongoing work” involving DOGE revealed that one representative from the Elon Musk-created tech collective had access to three BFS systems — where the federal government disburses federal income tax refunds, benefits, salaries and many other payments. Foreign aid payments were at the center of much of DOGE’s activity.
That employee was able to view, copy and print data from those systems, per the report, in addition to being “inadvertently granted temporary access to create, modify, and delete data” for one of the systems. The watchdog found no evidence of changes to data.
Lambert here: And exfiltration of the data? Or changes to the code?
Beyond unintentional security slips, the GAO found a series of moves by DOGE that skirted IT security rules set for BFS usage: One staffer did not encrypt the personally identifiable information of 350 individuals listed for USAID payments that was sent to another agency via an Excel file; that DOGE representative then used their Treasury email address to send the file to the other DOGE staffer’s BFS email; and an unencrypted file of the data was then sent to two DOGE members at the General Services Administration.
The GAO didn’t spare Treasury and BFS officials from blame for some DOGE security lapses. The BFS, for example, did not fully implement all selected cybersecurity controls on payment systems. Additionally, one of the DOGE staffers was “never informed of or agreed to their postemployment data protection requirements at the time of their departure from the agency.”
Because of that lack of communication, that DOGE worker left the agency with an interim security clearance that enabled them to access “multiple BFS systems containing sensitive federal payment information.”
Lambert here: So did the scope of the GAO investigation include what the worker did after they left the agency ***cough*** thumb drive in hand ***cough***?