.png)
1 hour ago
2
The Social Security Administration (SSA) has disputed a whistleblower's allegations that claimed DOGE made an unauthorized, unsecured copy of a critical database - but it's what the denial doesn't say that speaks volumes.
For those who haven't been following the saga of ex-SSA Chief Data Officer and career government IT professional Charles Borges, it's a pretty straightforward one. Borges filed a whistleblower complaint in August, accusing employees of the Trump-decreed, formerly Musk-helmed cost-cutting unit - which is not an official government agency formed by Congressional authority - of making an unauthorized copy of Numident, the SSA database that contains records of every single person who has ever applied for a Social Security Number.
According to Borges, the DOGE copy (a live duplicate of the real Numident database) was created without adherence to SSA security policy and, even more shockingly, it was placed in a cloud environment outside of SSA's management. Borges said that the duplicate was administered by a pair of DOGE employees, not the SSA infrastructure administrators who are supposed to manage the Administration's digital services.
That seems par for the course for DOGE, which has so far shown a willingness to run roughshod over established security protocols with little regard for congressional oversight or protection of critical data.
Republican Senator Mike Crapo, chairman of the Senate Finance Committee, expressed concerns over Borges' report and asked the SSA last week to explain itself - particularly in light of Borges' resignation over claims of retaliation.
SSA denies everything ... technically
While it won't answer any of the questions we put to it about this whistleblower complaint aside from providing a canned response, the Social Security Administration still has enough initiative to add The Register to an email distribution list where it shared a link to SSA Commissioner Frank Bisignano's response to Crapo's questions.
It's a total denial of Borges' claims, but with an interesting twist: Never once does the letter mention, acknowledge or account for the fact that the concern is over a copy of Numident, not the actual database itself.
While Bisignano said that "neither the Numident database nor any of its data has been accessed, leaked, hacked, or shared in any unauthorized fashion," he makes no mention of a copy, duplicate, or replica of the database in his introduction or any of the responses to Crapo's questions.
"As the letter states, based on the agency's thorough review, neither the Numident database nor any of its data has been accessed, leaked, hacked, or shared in any unauthorized fashion," an SSA spokesperson told The Register. Again, no mention of that copy.
SSA, Bisignano explained, adheres to the Federal Information Security Modernization Act, a law requiring federal agencies to adopt certain security measures on their IT systems, that isn't without its critics. The Agency also claimed all employees are vetted before being granted IT systems access, that permissions in its AWS environment follow standard processes, and that the vetting "did not diverge from standard agency processes." It did deny that Numident data was transferred "to a private cloud server within SSA's AWS cloud," as it doesn't have one of those, but Crapo's question was narrowly tailored enough that the Administration didn't need to state whether a duplicate was sent elsewhere.
Bisignano also questioned Borges' credibility in his response, stating that the acting SSA CISO "assessed the allegation that Numident data was stored in an unsecured cloud environment and determined it was unfounded." Again, no mention of a copy.
According to Bisignano, the location Borges referred to as the location for the duplicate Numident database "is actually a secured server in the agency's cloud infrastructure which historically has housed this data and is continuously monitored and overseen."
Yet again, Bisignano didn't address the fact that Borges was worried there was a duplicate copy of Numident that only DOGE had access to - he simply denied there was a security issue with Numident itself. The letter makes no mention of a duplicate, copy, facsimile, or any other thesaurus word one could think of, side-stepping the core concern raised in the whistleblower complaint.
Lastly, Bisignano also called out Borges for not following the chain of command in reporting his concerns.
"Prior to Mr. Borges originally raising his concerns to relevant executives in his component on August 6, 2025, he did not communicate with his peers in the security, data, and infrastructure groups who have oversight over these issues," Bisignano said. "Accordingly, they were not aware."
It's possible that Bisignano's lack of any acknowledgement of a Numident copy was just an oversight, but this is the second time the SSA has ignored questions simply asking for clarification on the matter.
Borges' legal representation at the Government Accountability Project confirmed to The Register that a response to both Crapo and Bisignano's letters is forthcoming.
As we noted in our first story about Borges' complaint, the SSA is ultimately responsible for conducting its own investigation into the matter pending the outcome of the Office of Special Counsel's preliminary look into Borges' complaint, which isn't due until mid October. With the SSA's reasoning already laid out in Bisignano's letter, this matter may ultimately go nowhere. ®
