Copyright Anchorage Daily News
Charles Borges, then chief data officer for the vast Social Security Administration, was alarmed last summer when he learned that members of Elon Musk’s U.S. DOGE Service had copied a mainframe database containing the personal information of hundreds of millions of Americans, including names, birthdays, addresses and more. The discovery prompted Borges to file a whistleblower complaint in August, telling Congress and the Office of Special Counsel that the cloud server where the database was uploaded had little oversight and was vulnerable to attacks by bad actors. The result: He said the Trump administration’s reaction to his complaint caused him to feel isolated and subject to a hostile work environment, prompting him to resign and give up a decades-long government career and dream job. Social Security officials insist there has been no breach or security risk, but Borges and other current and former employees say they have concerns about the access that DOGE personnel had to the data and their efforts to move and manipulate it in ways the agency has never seen before. Even the senior official who granted the Musk team broad access to agency data is now warning that DOGE - short for the Department of Government Efficiency - should not have put the agency’s most sensitive repository of Americans’ personal information on a cloud server. “Prove me wrong,” Borges told The Washington Post last week in his first media interview since his disclosure. “The only way I feel like we’re going to get to that point is with continued public interest, continued public pressure, and I’m willing to lend my name.” In a letter to Senate Finance Chair Mike Crapo (R-Idaho), SSA Commissioner Frank Bisignano said the agency conducted a thorough review and has not found evidence that the master database of some 500 million living and dead Americans - called Numident - had been “accessed, leaked, hacked, or shared in any unauthorized fashion.” “The location referred to in the whistleblower allegation is actually a secured server in the agency’s cloud infrastructure which historically has housed this data and is continuously monitored and overseen - SSA’s standard practice,” Bisignano wrote. Although he had until now avoided talking to the media, Borges told Post reporters that he had decided to go public to draw attention to his concerns about the safety of Americans’ data and his hope that the agency will share documentation to prove that the data wasn’t put at risk. At his Maryland home - decorated with photos of his family, his prolific board games collection and Navy paraphernalia - the self-described “data geek” said his fears while working at Social Security had kept him up at night. Borges is not the only Social Security official to raise concerns about the safety of data under the U.S. DOGE Service, which was launched by billionaire Elon Musk to cut costs across the government. Former acting Social Security commissioner Leland Dudek - who was elevated to that role by the Trump administration after showing loyalty to DOGE - said in an interview that Borges’s worries, as documented in his whistleblower report, are both “appropriate” and “accurate.” Dudek, who said he is on paid administrative leave pending a full separation from Social Security, said the type of cloud server that DOGE used is not sufficiently protected for such personal information and has been a well-known problem for years. “That absolutely has been the problem with that environment since I’ve been with the agency, that it is too little secured,” Dudek said. Borges, he continued, is “absolutely right.” Dudek said he never gave DOGE permission to add Americans’ data to that server and that the transfer happened after he left. In his time at the helm, he said, he only agreed to let DOGE access a limited number of datasets, as the team first sought to eradicate fraud - which it found little of - and then to improve and tidy the agency’s death database. SSA spokesman Barton Mackey said the agency disputes Dudek’s claims and is “confident in the security of our systems.” DOGE officials were granted access to sensitive Social Security data - including databases with all Social Security numbers, comprehensive medical records and bank information - almost as soon as they arrived at the agency over the objections of senior leaders, The Post has previously reported. The wide-ranging access alarmed employees who believed DOGE team members were not obeying the typical protocols and security checks that safeguard the agency’s data, three current and former staffers said, speaking on the condition of anonymity because they feared retaliation. In February, the acting SSA commissioner at the time, Michelle King, left her job after a disagreement over DOGE’s attempts to gain access to sensitive records. In his interview, Borges, 49, provided a deeper look into what it was like at Social Security as DOGE enacted sweeping changes, causing confusion within the agency amid concerns about customer service as it sought to slash staff and root out what it claimed was widespread fraud and wasteful spending. Borges - who started his new job at the agency hours before a government-wide hiring freeze - experienced the disorganization firsthand in the early months of the administration. The office where he worked, which handled analytics, review and oversight, was disbanded soon after he began the job and he was moved to a new office. No updated organization structure was shared with SSA’s staff, and Borges encountered colleagues frequently confused by who reported to whom. In that fog, DOGE was launching major efforts to move and manipulate data in ways that employees found highly questionable if not illegal. In the spring, for example, DOGE pushed Social Security to add 6,100 living immigrants to a deaths database, falsely labeling them deceased in a bid to make them self-deport. In a previously unreported episode, DOGE team members facilitated a quiet transfer of sensitive Social Security information for roughly 100,000 people to the Department of Homeland Security, Dudek said. The data included people’s addresses, birth and death dates, Social Security numbers, their benefits status and their bank information, Dudek said. DHS told him the information was needed for a law enforcement investigation related to immigration status, he said. Dudek said the transfer fell within the bounds of Social Security’s data-sharing agreements across government, which says the agency can “disclose information for law enforcement purposes,” specifically to help combat “serious crimes” or “criminal activity involving the social security program.” He said he felt compelled by the terms of this agreement to grant DHS’s request, which came in the form of a surprising Saturday night phone call from the chief information officer of Immigration and Customs Enforcement, Dudek said. “That was certainly unusual,” he said. “But they came directly to me and I had no choice but to comply.” Mackey said that “this authorized data exchange is covered under a customary interagency arrangement with significant involvement of career SSA officials.” Meanwhile, rumors and fears ran rampant inside the agency, staffers said. When people weren’t talking about worries of getting laid off, one employee said, they were discussing DOGE employees - asking what they might be doing with millions of Americans’ most private personal information. At the same time, the agency was exploring plans to lay off workers and others were getting reassigned to jobs they were unfamiliar with or choosing to voluntarily leave. In those especially taxing days, Borges said he saw co-workers breaking down in meetings or sitting at their desks. “I cannot count how many employees I saw cry, and that is at all levels of the agency, from executives downward,” Borges said. In the summer, Borges first heard from colleagues that DOGE had transferred sensitive data to a cloud environment. He began to ask questions but got little information in response. Internal records showed employees raising concerns about security risks before the transfer of the data, according to Borges’s disclosure and records previously obtained by The Post. Before they would proceed, an employee told CIO Michael Russo he needed to approve the move. Russo accepted the request. To better explain the risk DOGE ran with sensitive data for millions of Americans, Borges described the following: Imagine you stepped away from your personal laptop in a crowded cafe and gave someone the password, leaving without knowing if they might share your laptop with others. Wouldn’t you want to know who has been able to log in? Borges wasn’t sure how to warn others about what he had learned. He consulted with the Government Accountability Project, a legal group that has represented whistleblowers through eight administrations. During those weeks, Borges said he could barely sleep. When he wasn’t in the office or on the hours-long commute to the office, he often sat in his home office, wondering about the right choice. Borges, the son of an Air Force veteran, graduated from the Massachusetts Institute of Technology on an ROTC scholarship and was commissioned into the Navy. Borges said he was among the first aircraft to fly into Iraq at the start of the Iraq War. After his 22 years as a Naval officer, Borges retired and went into civil service, working briefly at Deloitte before serving as a Presidential Innovation Fellow in the Centers for Disease Control and Prevention during the coronavirus pandemic and in the Office of Management and Budget under the chief information office. Patches from his various military assignments hang behind his home desk. As the concerns over Social Security data grew, his family told him to do what was right and they would go from there. Days after filing his disclosure, Borges resigned, writing in a letter to Bisignano that “after reporting internally to management and externally to regulators serious data security and integrity concerns impacting our citizens’ most sensitive personal data, I have suffered exclusion, isolation, internal strife, and a culture of fear, creating a hostile work environment and making work conditions intolerable.” “I’m only a canary in a coal mine,” he said in The Post interview, adding that he told his young child he had to make a difficult decision. “I said that sometimes you make difficult choices, sometimes you have to do what’s right,” Borges said. “My child understands right and wrong, and sometimes even doing what’s right has consequences.”
