At issue in Mr. [Charles] Borges’s complaint is the so-called Numident file, a critical database that contains the personal information of everyone who has ever held a Social Security number, living or dead. The agency has issued more than 548 million numbers.
In his complaint, Mr. Borges provided documents showing that DOGE member John Solly, a software engineer working at Social Security, called a career agency employee on June 10 to open discussions about copying Numident data to a “virtual private cloud” server operated by Social Security. Edward Coristine, a 19-year-old DOGE software engineer, was also involved in the project and would be given access to the server, other records show. The request came shortly after the Supreme Court allowed members of DOGE to have access to the agency’s data.
“I have determined the business need is higher than the security risk associated with this implementation and I accept all risks,” wrote Aram Moghaddassi, who worked at two of Mr. Musk’s companies, X and Neuralink, before becoming Social Security’s chief information officer, in a July 15 memo.
On June 16, Joe Cunningham, the agency’s acting chief information security officer, emailed Mr. Moghaddassi and another top official, attaching a copy of an official risk assessment.
Mr. Borges’s complaint also includes documents that he said backed up two additional allegations.
He said that in March DOGE officials bypassed normal security procedures and were given “improper and excessive access” to other databases that contained sensitive information about Social Security applicants, including the ability to edit data.
Mr. Borges also said that DOGE officials briefly “appeared to have circumvented” the March 20 temporary court order that locked them out of Social Security data, regaining access to the data over the following weekend before being cut off again on March 24.
“After a thorough review, we have determined that this request poses a high risk,” Mr. Cunningham wrote, adding that “our current policy requires sign-off from the chief information officer (C.I.O.) to accept these risks.”
The risk assessment stated that DOGE wanted “uninhibited” control over the server to “expedite” its work but had not provided documentation of how it would maintain security, and it warned that “sensitive data could be made public,” according to a copy included in Mr. Borges’s complaint.
In another email to colleagues on June 23, Mr. Cunningham wrote: “We need to address how we can effectively monitor the data and the security controls that will be implemented.”
Two days later, he asked Michael Russo, a senior DOGE-aligned official at Social Security, to sign off on the project, noting that the personal data being uploaded had not been “sanitized,” or anonymized, as he suggested would typically be the case.
Add new comment