Table of Contents

A former Department of Government Efficiency engineer allegedly walked out of the Social Security Administration with databases containing records on 500 million Americans — stored on a personal thumb drive — then took a private-sector contractor job. A whistleblower filed a complaint. The SSA’s inspector general opened an investigation. The DOJ confirmed prior data mishandling. Now Congress is asking whether federal AI ambitions have dismantled decades of privacy architecture.

What Happened: The Whistleblower Complaint

On March 10, 2026, The Washington Post reported that a whistleblower had filed a complaint with the SSA inspector general alleging that a former DOGE software engineer had obtained two of the Social Security Administration’s most sensitive databases before leaving government employment in October 2025 for a private contractor position.

The databases in question are the Numident — the master file of Social Security number assignments — and the Master Death File, which together contain records for more than 500 million living and dead Americans. The data held within includes Social Security numbers, dates and places of birth, citizenship status, race and ethnicity, and parents’ names.1

According to the whistleblower complaint, the engineer:

  • Stored at least one database on a personal thumb drive
  • Claimed to have retained “God-level” access to SSA systems after leaving government
  • Kept his agency computer and credentials beyond his departure
  • Asked a colleague to help transfer data from the thumb drive to his personal computer for eventual upload to his new employer’s system
  • Allegedly told co-workers he expected a presidential pardon if he was caught doing something illegal2

The complaint was filed with the SSA inspector general in January 2026. On March 6, the IG’s office formally notified House and Senate committee leaders it was reviewing the complaint “on matters relating to the potential misuse of SSA data by a former DOGE employee, among other allegations.”3

The former employee denied all wrongdoing through his attorney. SSA and the company where he took the new position also denied the allegations.4

The Data at Stake

Understanding the stakes requires understanding what these databases actually contain.

DatabaseRecordsContents
Numident~500M (living + deceased)SSNs, dates of birth, citizenship, race/ethnicity, parents’ names
Master Death File~120M deceased personsSSNs, dates of death, last known address
Combined ExposureEvery American with an SSNFull identity profile usable for fraud, targeted surveillance, voter roll matching

The Numident is not a marginal dataset. It is the canonical record of Social Security number assignment in the United States. A complete copy would constitute one of the largest identity datasets ever assembled — comprehensive enough to enable mass identity fraud, targeted surveillance, or political data analysis at national scale.

For context: the 2017 Equifax breach exposed data on approximately 147 million Americans and was described by the FTC as one of the most significant data breaches in history. The potential exposure here is more than three times larger, and includes government-issued identifiers that cannot be changed.

The Privacy Act of 1974 (5 U.S.C. § 552a) is the primary federal statute governing how agencies collect, maintain, use, and disclose personal information. It was specifically enacted in response to congressional concerns about government misuse of sensitive data — including Social Security records.5

Violations relevant to the SSA situation include:

  • Intentional disclosure to unauthorized persons: criminal misdemeanor, up to $5,000 fine and one year imprisonment
  • Obtaining records under false pretenses: same criminal penalties
  • Civil remedies: individuals harmed by unlawful disclosure can sue for damages

Beyond the Privacy Act, investigators have identified potential violations of:

  • FISMA (Federal Information Security Management Act): requires agencies to protect sensitive data in federal systems
  • Federal Records Act: governs the handling and transfer of government records
  • Hatch Act: bars federal employees from using government positions for partisan political activity

The Hatch Act exposure is particularly significant here, because the SSA whistleblower story is not happening in isolation. It is part of a documented pattern in which SSA data was, on at least one occasion, directed toward explicitly partisan ends.

The Voter Data Angle: When Efficiency Becomes a Cover

In a January 2026 court filing, the Trump administration admitted to a series of previously unreported data incidents at the SSA. Among them: on March 24, 2025, a DOGE team member embedded at SSA signed a “Voter Data Agreement” with an outside political advocacy group — in his official capacity as an SSA employee — without authorization or internal review.6

The agreement’s purpose, according to the court filing, was to match SSA data against state voter rolls the advocacy group had acquired. The stated goal of the group was to find evidence of voter fraud and overturn election results in certain states. Democracy Docket and subsequent reporting identified the group as consistent with True the Vote, a prominent election-denial organization.7

SSA said it found no evidence that data was actually shared — but also acknowledged it could not fully verify the extent of what happened.

The combination of these revelations — unauthorized third-party servers, Voter Data Agreements, and now a thumb-drive data exfiltration allegation — forms a coherent picture: DOGE personnel at SSA were operating outside the legal and procedural controls that govern federal data handling, and at least some of that activity was aimed at political ends.

A Pattern Across Federal Agencies

SSA was not an isolated case. Congressional oversight reports and court filings from 2025 and 2026 document similar behavior across at least six federal agencies.8

AgencyReported DOGE Data Activity
SSAUnauthorized servers; voter data agreement; thumb drive allegation
TreasuryAccess to payment systems processing trillions in transactions
IRSSought access to hundreds of millions of tax returns
HHS (CMS)Access to health records including Medicare/Medicaid data
VAAccess to military service and health records
Education DeptData fed into AI tools for program review without oversight

A September 2025 Democratic Senate report found that DOGE personnel had “jeopardized the security of Americans’ personal information by uploading sensitive data into cloud environments without the necessary safeguards or oversight.”9 Forty-eight lawmakers separately wrote to DOGE demanding answers about its use of unauthorized AI tools to process government data.10

The Education Department case is especially instructive. According to The Washington Post, DOGE personnel were feeding department data into a commercial AI tool to review agency programs and spending. That kind of operation — government records processed through third-party AI infrastructure — falls outside FISMA requirements, bypasses agency procurement rules, and creates uncontrolled data copies in commercial systems.

Institutional Response: Oversight Catching Up

The institutional response has been real, if delayed. Key developments as of late March 2026:

  • SSA Inspector General: formally opened investigation, notified Congress (March 6, 2026)
  • DOJ court filings: admitted DOGE employees at SSA used unapproved third-party servers and engaged in unauthorized communications with political groups
  • Sen. Gary Peters: called for independent investigation into DOGE activities at SSA after court disclosures
  • House Democrats: called for a criminal investigation into the potential data misuse
  • PBS/DOJ Acknowledgment: The DOJ confirmed in court filings the central allegations raised by Chuck Borges, SSA’s former chief data officer, who had filed an internal whistleblower complaint before being forced to resign in August 202511
  • Democracy Forward: filed legal actions requesting discovery and depositions related to DOGE’s SSA access
  • U.S. District Court (D. Maryland): issued a temporary restraining order on DOGE’s SSA access — but SSA’s own records review found evidence of access that may have continued in potential violation of that order12

Whistleblower Chuck Borges’s trajectory is worth noting. He filed an internal complaint. He was forced out of government. His concerns were later validated in DOJ court filings. He subsequently filed a retaliation complaint. This is the classic whistleblower arc — and it signals that internal reporting mechanisms at the affected agencies were not functioning as designed.

What Practitioners and Policy Observers Need to Understand

The DOGE Social Security story is not simply a scandal about one engineer and a thumb drive. It exposes a structural failure mode that appears repeatedly when politically-driven teams are embedded in agencies that hold sensitive data:

  1. Existing access controls assume good faith. Federal data systems are built around the assumption that access is used for its authorized purpose. “God-level” administrative credentials are granted to systems administrators who need broad visibility. When that access is used to exfiltrate data for private purposes, the technical controls don’t catch it — and the human oversight mechanisms failed here, too.

  2. The revolving door between government AI work and private contracting is a specific risk. When someone leaves a government role with deep system access and goes directly to a private government contractor, they carry institutional knowledge — and potentially data — across the boundary. Existing offboarding procedures, designed for earlier eras of data handling, are inadequate.

  3. Political motivations corrupt data governance. The Voter Data Agreement incident is distinct from the thumb drive allegation, but they reflect the same root cause: personnel who did not treat data governance rules as binding constraints. When political objectives and data governance conflict, and the political objectives win, privacy guarantees collapse.

  4. AI amplifies the damage. Once government data enters commercial AI pipelines — whether deliberately or incidentally — it cannot be recalled. Model training on government data creates persistent knowledge artifacts that no court order can reverse.

Frequently Asked Questions

Q: What data was allegedly taken from the Social Security Administration? A: The Numident database and the Master Death File — together covering more than 500 million living and deceased Americans — containing Social Security numbers, birth dates, citizenship status, race and ethnicity, and parental information.

Q: Is this confirmed, or still under investigation? A: As of March 2026, the SSA inspector general has opened a formal investigation. The former employee and SSA deny the allegations. Separately, the DOJ has confirmed in court filings that DOGE employees at SSA did engage in broader unauthorized data-sharing practices — so the thumb drive allegation sits within a documented pattern of misconduct.

Q: What laws were potentially broken? A: The Privacy Act of 1974, FISMA, the Federal Records Act, and potentially the Hatch Act. Privacy Act criminal violations carry up to $5,000 in fines and one year imprisonment. Civil liability for affected individuals is also a possible avenue.

Q: Why does the Voter Data Agreement matter separately from the thumb drive story? A: Because it demonstrates that SSA data was explicitly directed toward a partisan political purpose — comparing voter rolls against federal records to challenge election outcomes — by someone acting in an official government capacity. This is a Hatch Act violation on its face, and it shows that the thumb drive allegation is not an isolated incident but part of a broader governance breakdown.

Q: What should affected Americans expect to be able to do? A: Very little, practically speaking. The Privacy Act allows civil suits for damages from unlawful disclosure, but these require proving the violation and establishing harm — a high bar. There is no mechanism to “recall” data once it has been copied. The more realistic protective measures are downstream: fraud monitoring, credit freezes, and regulatory reforms that close the access-control and offboarding gaps that made this possible.

Footnotes

  1. Washington Post, “DOGE member took Social Security data on a thumb drive, whistleblower alleges,” March 10, 2026.

  2. TechCrunch, “DOGE employee stole Social Security data and put it on a thumb drive, report says,” March 10, 2026.

  3. Federal News Network, “Social Security watchdog opens probe into alleged misuse of data by ex-DOGE employee,” March 2026.

  4. Inc., “‘Worst-Case Scenario’: Ex-DOGE Engineer With ‘God-Level Access’ Accused of Taking Social Security Data on 500 Million Americans,” March 2026.

  5. EPIC, “The Privacy Act of 1974,” epic.org/the-privacy-act-of-1974/.

  6. NPR, “How DOGE improperly accessed and shared Social Security data,” January 23, 2026.

  7. Democracy Docket, “Did DOGE sign a ‘voter data agreement’ with election deniers True the Vote?,” 2026.

  8. Wikipedia, “US federal agencies targeted by DOGE,” en.wikipedia.org/wiki/US_federal_agencies_targeted_by_DOGE.

  9. Senate HSGAC, Democratic Report on DOGE Data Activities, September 2025.

  10. FedScoop, “Dozens of lawmakers question DOGE’s use of AI,” 2025.

  11. Government Accountability Project, “DOJ Issues Corrections Validating Whistleblower’s Claim of DOGE Mismanagement at Social Security Administration,” 2026.

  12. FedScoop, “DOGE likely violated order on Social Security data, court filing shows,” 2026.

Topics:
ai-policy privacy government

Related Articles

AI Policy

When Government Agencies Use ChatGPT to Make Real Decisions: The Accountability Crisis

Government agencies are increasingly using ChatGPT and AI systems to review grants, draft policies, and make administrative decisions, raising critical questions about accountability, bias, and democratic governance.

 AI Policy

US vs. EU AI Regulation: Two Incompatible Visions for the AI Future

The EU enforces strict AI rules while the US deregulates — creating a compliance nightmare for global AI companies and risking permanent Balkanization of AI.

 AI Policy

AI Is Here to Replace Nuclear Treaties: Should We Be Scared?

As nuclear arms control treaties collapse, AI-powered satellite monitoring is being positioned as a technological alternative to diplomatic verification. The answer is both promising and deeply unsettling.

Enjoyed this article?

Stay updated with our latest insights on AI and technology.

More Articles Subscribe via RSS