A US Senator is demanding answers after a Social Security Administration (SSA) employee who blew the whistle on Department of Government Efficiency (DOGE) dealings involuntarily resigned last month, citing workplace hostility in response to his concerns.
Republican Senator Mike Crapo (it's pronounced Cray-poe), chairman of the Senate Finance Committee, sent a letter to the SSA's commissioner, Frank Bisignano, giving him just two weeks to provide answers to concerns raised last month by now-former SSA Chief Data Officer Charles Borges. The former CDO's whistleblower complaint alleged DOGE had duplicated a critical database filled with taxpayer information, known as Numident, to a test cloud environment that wasn't managed by Borges or SSA, and which allegedly is without any oversight controls.
As Chairman of the Senate Committee on Finance, I must take very seriously every allegation made by a protected whistleblower ... I consider the protection and security of PII held by the agency to be a matter of first importance
Numident is used to store records of every person who has ever applied for a Social Security Card in the United States.
Crapo's questions are numerous, but one with a much shorter deadline stands out: He wants to know whether that duplicate database "was accessed, leaked, hacked, or disseminated in any unauthorized fashion," and he wants it "immediately upon receipt of this letter."
"As Chairman of the Senate Committee on Finance, I must take very seriously every allegation made by a protected whistleblower," Crapo added. "Further, given the large amount of sensitive data under SSA's control, I consider the protection and security of PII held by the agency to be a matter of first importance."
The SSA didn't directly answer questions about its response to Crapo, instead sending us an identical statement to the one it provided when we covered the original whistleblower complaint last month.
"We are not aware of any compromise to this environment and remain dedicated to protecting sensitive personal data," an SSA spokesperson said, while maintaining that Numident data is stored "in secure environments that have robust safeguards in place to protect vital information." That doesn't explain the security of the alleged unauthorized copy of Numident. We pointed this out to the SSA, but haven't heard back.
Borges' complaint was primarily about the Numident copy, but he also raised concerns over his beliefs that DOGE had allegedly committed numerous "systemic data security violations" as well as violations of SSA protocols and federal data privacy laws in its time at the SSA.
In response to his concerns, Borges said in his resignation letter late last month that SSA's actions created a hostile work environment that made it impossible for him to fulfill his duties ethically or lawfully, caused significant distress, and effectively forced him from his role as chief data officer.
"After reporting internally to management and externally to regulators serious data security and integrity concerns impacting our citizens' most sensitive personal data, I have suffered exclusion, isolation, internal strife, and a culture of fear, creating a hostile work environment and making work conditions intolerable," Borges wrote in his letter to Bisignano. "SSA's actions against me [have made] my duties impossible to perform legally and ethically."
In addition to his demand for answers about the integrity of the alleged Numident duplicate, Crapo is also demanding to know how SSA dealt with Borges' internal complaints, details about its use of cloud storage and data security mechanisms, and asks about how it assessed the risk of giving agency employees the ability "to transfer data from the Numident database to a private cloud within SSA's AWS cloud environment."
Neither Crapo's office nor the Senate Finance Committee responded to questions for this story. ®