The Trump administration yesterday issued a lengthier denial of a whistleblower’s allegation that DOGE officials at the Social Security Administration (SSA) copied the agency’s database to an insecure cloud system. The allegation centers on the Numerical Identification System (NUMIDENT) database containing Americans’ personally identifiable information.
The cloud location described by the whistleblower report “is actually a secured server in the agency’s cloud infrastructure which historically has housed this data and is continuously monitored and overseen—SSA’s standard practice,” said a letter sent yesterday to Senate Finance Committee Chairman Mike Crapo (R-Idaho).
The letter was sent by SSA Commissioner Frank Bisignano, a Trump appointee who was previously CEO of the financial technology company Fiserv. It came in response to Crapo’s request for information.
“I can confirm, based on the agency’s thorough review, that neither the Numident database nor any of its data has been accessed, leaked, hacked, or shared in any unauthorized fashion,” Bisignano wrote. “SSA continuously monitors its systems for any signs of unauthorized access or data compromise, and we have not detected any such incidents involving the Numident database.”
SSA defends security controls
As we reported last month, then-SSA Chief Data Officer Chuck Borges alleged that DOGE officials created “a live copy of the country’s Social Security information in a cloud environment that circumvents oversight.” The nonprofit Government Accountability Project, which represents Borges, told members of Congress and the US Office of Special Counsel that the “vulnerable cloud environment is effectively a live copy of the entire country’s Social Security information from the Numerical Identification System (NUMIDENT) database, that apparently lacks any security oversight from SSA or tracking to determine who is accessing or has accessed the copy of this data.”
Bisignano’s letter yesterday said the SSA has been storing personally identifiable information in Amazon Web Services (AWS) for nearly 10 years. “SSA never transferred the Numident database to a private cloud server within SSA’s AWS cloud. SSA does not have a private cloud within its secure AWS,” he wrote.
Bisignano wrote that “all employees are required to go through a vetting process prior to being granted access to SSA information systems” and “are granted the appropriate permissions to perform their work” based on their job functions. He said the agency’s “AWS cloud environment is audited yearly to ensure these controls are implemented and maintained.”
We contacted Borges’ attorneys at the Government Accountability Project today and will update this article if we get a response.
Borges resigned “involuntarily”
Borges’ whistleblower report alleged that SSA officials violated the Federal Information Security Modernization Act by “knowingly placing a High-Value Asset containing data on over 450 million people in an uncontrolled environment.” The Government Accountability Project said that if “bad actors gain access to this cloud environment, Americans may be susceptible to widespread identity theft, may lose vital healthcare and food benefits, and the government may be responsible for re-issuing every American a new Social Security Number at great cost.”
Borges resigned from the SSA a few days after going public with his allegations. In a letter to Bisignano, Borges said he was “involuntarily” leaving his position.
“This involuntary resignation is the result of SSA’s actions against me, which make my duties impossible to perform legally and ethically, have caused me serious attendant mental, physical, and emotional distress, and constitute a constructive discharge,” he wrote. “After reporting internally to management and externally to regulators serious data security and integrity concerns impacting our citizens’ most sensitive personal data, I have suffered exclusion, isolation, internal strife, and a culture of fear, creating a hostile work environment and making work conditions intolerable.”
Borges’ resignation letter alleged that “newly installed leadership in IT and executive offices created a culture of panic and dread, with minimal information sharing, frequent discussions on employee termination, and general organizational dysfunction. Executives and employees are afraid to share information or concerns on questionable activities for fear of retribution or termination, and repeated requests by me for visibility into these events have been rebuffed or ignored by agency leadership, with some employees directed not to reply to my queries.”
Bisignano probably isn’t done answering questions about the whistleblower allegations. Crapo’s letter to Bisignano said the senator’s initial round of questions is “an immediate first step, considering the seriousness of Mr. Borges’ allegations concerning SSA’s ability to safeguard data collected and maintained by the agency.”