Whistleblower Says 450M Social Security Records Exposed

Whistleblower Alleges Massive Social Security Data Risk

A newly released whistleblower complaint from Charles Borges, the Social Security Administration’s chief data officer, alleges that a Trump administration team known as the Department of Government Efficiency (DOGE) copied a live copy of the Numerical Identification System into an agency-run Amazon-hosted cloud with insufficient security controls. The database reportedly holds more than 450 million records and contains highly sensitive personally identifiable information submitted with Social Security applications.

Borges says he raised concerns internally after top officials approved the move in June, but that the cloud environment “circumvents oversight” and lacked independent controls to log who accessed the data and how it was used. The complaint warns that a compromise could expose health diagnoses, income, banking information, family relationships, and other biographic data for nearly every American.

Key approvals named in the complaint include Aram Moghaddassi, the agency’s chief information officer, who is quoted as saying the "business need is higher than the security risk," and Michael Russo, a senior DOGE operative who previously served as the agency’s CIO. Borges escalated the issue to Congress, urging immediate oversight.

The complaint traces part of the timeline to a March restraining order that initially blocked DOGE from accessing the SSA database; that order was lifted by the Supreme Court on June 6, which the complaint says allowed DOGE to proceed in seeking internal approvals to move live data to the cloud.

The Social Security Administration responded that data is "stored in secure environments" and that career SSA officials retain administrative access with oversight from the agency’s Information Security team. The agency said it is not aware of any compromise.

Why this matters: moving a live dataset of this scale into a cloud environment without independent logging, strict role-based access controls, and proven separation from public-facing services creates a single point of failure. If misconfigured, cloud storage can turn sensitive government records into a public leak, as seen in prior incidents where misconfiguration exposed military emails and other federal data.

Immediate risks highlighted in the complaint include:

• Mass exposure of Social Security numbers and linked PII
• Violation of internal security controls and federal privacy laws
• Potential necessity to reissue Social Security numbers in a worst-case scenario

What this should prompt: immediate independent review, enhanced cloud configuration audits, and strict access gating with tamper-evident logs. Agencies should treat live copies of national identifiers as crown-jewel assets and apply the highest levels of separation and monitoring.

For organizations and government bodies, the episode is a reminder that cloud agility must be matched by mature governance. Moving fast on high-value data without independent verification of security controls creates outsized national risk. Who watches the watchers when teams are given broad administrative rights?

QuarkyByte’s approach in situations like this is to rapidly map trust boundaries, validate cloud tenancy configurations, and verify that logging and least-privilege controls are enforceable and independent. For any agency or enterprise that stores sensitive identifiers at scale, an early independent assessment can prevent a single misstep from becoming a national incident.

The complaint will likely renew calls for Congress to exercise oversight over cloud governance in federal agencies. Until the facts are independently verified, the allegations serve as a cautionary tale: cloud platforms are powerful, but high-stakes datasets demand visibility, separation, and accountability.