DOGE copied a Social Security mega-database to a private cloud, whistleblower says
Categories: Cybersecurity, Data, Data Privacy, Digital Footprint, DOGE, Employment, Government, Privacy Guides
If you wanted to design the perfect identity-theft jackpot, you would build a single file that stores names, SSNs, dates of birth, citizenship, parent names, and more. That file exists inside the Social Security Administration. It is called NUMIDENT.
A whistleblower says DOGE-affiliated officials created a cloud copy of it with weaker protections than normal, giving former DOGE staffers access inside of SSA’s Amazon Web Services environment. The copy contains the social security numbers, birthdays, and names of over 300 million Americans.
SSA’s response & resigned Chief Data Officer’s statement
The request to copy the database came days after the Supreme Court lifted an injunction and allowed DOGE members to access SSA records while litigation proceeds.
SSA have said the referenced data is stored in a long-standing environment, walled off from the internet, and that it is not aware of any compromise. The commissioner welcomed the Supreme Court order and the administration framed the access as a modernization and anti-fraud effort.
However, the SSA’s Chief Data officer Charles Borges resigned after he flagged the security vulnerabilities created by the decision.
The Washington Post reports that a copy of “the agency’s most critical database” was placed in SSA’s AWS environment. Prior to his resignation, Borges warned that hosting such a copy without the usual controls substantially threatened the safety of Americans’ information.
Charles Borges also told oversight bodies that the space NUMIDENT was copied into by DOGE lacked independent security, monitoring, and oversight. Internal cybersecurity reviewers labeled the decision very high risk and even discussed the possibility of mass SSN re-issuance if the cloud were breached.
The conflicting reports of how problematic this decision range from “not at all” to “we might need to reissue millions of SSNs”. It’s worth noting here that DOGE, which pushed for this to happen, has previously been breached and accused of violating the Privacy Act.
How will DOGE’s copied social security database affect you?
The data copied is called NUMIDENT; the master file for social security identities. It contains:
- All SSNs
- Full names
- Date of birth
- Place of birth
- Citizenship status
- Parent’s names
While the SSA have said they are “not aware of any compromise”, their own cybersecurity officials have warned that unauthorized access to NUMIDENT would be catastrophic.
Even without an active breach, creating an additional, large target raises risk significantly. The whistleblower alleges the copy had fewer safeguards than SSA’s standard protocols.
If this data is exposed, attackers could open credit lines, file fraudulent tax refunds, and hijack benefits with near-perfect identity data. If a bad actor leveraged exposed ID images (such as those leaked by Tea recently) and social security data, the consequences would be life-changing. Victims could face long-tail harm that’s difficult to unwind; SSNs and biometrics don’t expire. The potential risk are;
- Identity fraud at scale; fraudulent loans, credit, BNPL, utilities using stolen to synthetic identities and real SSNs.
- Fraudulent tax refund filings
- Employment misues of your SSN; used by bad actors to pass E-Verify during hiring, impacting your wage or tax payments, or social benefits.
- Medical identity theft; contamination of your medical records and bills.
- SIM-swap & phone-number hijacking; used to drain your bank, crypto wallets, or access your email & other protected accounts.
- Password resets via secret questions (leveraging SSN data such as your mother’s name)
Children and the recently deceased are prime targets; their credit files could be abused for years before someone notices.
What should you do if your identity is stolen?
To be clear; there is not clear evidence the new database has been breached. Regardless, if you are concerned or find yourself needing to deal with fraud or identity thefy, you should;
- Freeze credit everywhere (Equifax, Experian, TransUnion and Innovis) – blocks most credit-pulls.
- Freeze specialty bureaus used for bank accounts, phone, and utilities: ChexSystems and NCTUE.
- Get an IRS IP PIN before the next filing season.
- Ask SSA to block electronic access to your “my Social Security” record
- Turn on DHS myE-Verify Self Lock to stop employment-eligibility misuse
- Enable number lock / account takeover protection with your phone carrier.
- For minors or deceased relatives: Notify bureaus and the IRS and monitor for ghosting
- If you spot misuse: File an FTC case at IdentityTheft.gov for a recovery plan and creditor-recognized documentation.
At its core, this incident is a reminder that sensitive data about you that others hold creates risk – when it’s copied, shared, or sold, the risk is amplified. Even by government agencies.
But your digital footprint doesn’t end there; it also includes everything you post, comment, and message on the internet. While SSN data is particularly sensitive, your social media footprint also carries information that a bad actor can use to threaten your identity, scam you or your family, extort, or otherwise target you and your network with crimes. Social media posts with personal information (photos of your house, posts about your work, or even public content about family and pets) are vulnerabilities – and you should delete them if you can.
Most people have been using multiple social media platforms for many years; reviewing every single platform and post will usually take days or weeks if you do it manually. With our app, Redact, you can automate the whole process. We help you scan and bulk delete content from all major social and productivity platforms – you can try it free for deletions on Discord, Twitter, and Facebook, and Reddit.
