Last week, while many of us were enjoying the last days of summer, a whistleblower disclosed shocking details indicating staffers with the so-called Department of Government Efficiency have been messing with Americans’ most sensitive data. According to the whistleblower, DOGE staffers uploaded the entire catalogue of Social Security numbers — as well as individuals’ full names, birth dates and addresses — to an unauthorized online storage system that bypassed the agency’s standard security and oversight protocols.
This scandal may lack the pizzazz of the personality-driven dramas that dominate our current political moment. But its implications are difficult to overstate. The consequences of Social Security number theft are devastating. Bad actors can use these stolen numbers to run up debts in their victims’ names, worm their way into bank accounts, steal government benefits and unlock even more private data. Social Security numbers are such a coveted tool for fraudsters that, according to one study, their presence in a cache of stolen data increases the odds of an identity theft attempt from a baseline risk of roughly 2% all the way to 97%.
The upshot is that DOGE’s actions — uploading every single Social Security number to an unauthorized storage environment, subject to unknown risk from unknown cybercriminals — put all of us at risk of significant financial crimes. Whistleblower Charles Borges, the Social Security Administration’s now-former chief data officer, described the potential consequences as “catastrophic.” And he predicted it could lead to the federal government being forced to reissue a new number to every single American — a measure that would inflict enormous costs and hassle on American households. According to Borges’ complaint, “one of his superiors noted that possibility, underscoring the risk to the public.”
The SSA whistleblower’s concerns are more than just theoretical. After DOGE staffers received access to sensitive data stored by the National Labor Relations Board, for example, another federal whistleblower reported repeated attempts from an IP address in Russia to break in using DOGE login credentials. In 2014, foreign adversaries successfully stole data stored by the Office of Personnel Management, a heist one House Republican-led report laid at the feet of OPM’s failure to “implement basic cyber hygiene.”
Worse, DOGE’s cavalier behavior at the SSA is not a one-off. It is part of a broader, administration-wide push to collect and consolidate Americans’ private data. The federal government is trying to transfer Social Security information to U.S. Citizenship and Immigration Services, to allow ICE agents “direct access” to your Medicaid data, and to export taxpayer data in bulk to the Department of Homeland Security. It’s unclear what kinds of privacy and security protections are in place for any of these novel efforts.
Inevitably, some will brush off this scandal. They’ll dismiss those raising alarm bells as prim-lipped defenders of the broken, nonresponsive institutions that voters sent President Donald Trump back to Washington to fix. If this administration has a mandate to bring change, maybe that includes letting the DOGE whiz kids blast through standard data handling protocols so they can fix our federal bureaucracy.
That narrative is wrong. Jeopardizing every single American’s privacy is not a reasonable price to pay for the sake of moving fast and breaking things. That’s why, as lawyers with the American Civil Liberties Union, we’ve filed more than 40 freedom of information requests across the federal government to unearth how DOGE is handling sensitive data. And we sued the Social Security Administration earlier this year when it failed to disclose what DOGE has been up to.
This latest incident, however, does reinforce a valuable lesson: Our decades-old federal privacy laws have not kept pace with the many trends that have transformed our very online world into a playground for identity theft and privacy violations. Instead, we’re stuck with outdated protections that, among other shortcomings, assume there will always be an adult in the room, rest on nonbinding and easily revokable agency guidance, and fail to address the vast quantities of our online data that federal agents routinely purchase.
These antiquated laws don’t just underprotect individual privacy. They also hamper good-faith efforts to make the government work better. Laws passed in the 1970s or ’80s simply do not reflect modern-day understandings of how data drives governmental services — leaving agencies that want to leverage data to improve federal programs to largely figure out for themselves how to safely collect, store and share Americans’ sensitive information. The result is a maddening combination of vulnerability for individuals and sclerosis in government.
There is a better way. To begin, Americans should demand far more transparency around what DOGE and the federal government are doing with our private data, including this administration’s accelerated consolidation of data across agencies. But DOGE’s reckless handling of our Social Security numbers also should be a wake-up call: To truly protect Americans’ private data, we need different laws on the books.
We need laws that reflect the digital world as it exists today. Laws that let the federal government work efficiently and responsively, using the best information and tools that 2025 has to offer. And, most fundamentally, laws that take our privacy and security seriously through protections like meaningful limitations on how the government can consolidate various data sources; rigorous safeguards for cross-government data sharing; a full accounting of the way commercial data collection feeds governmental surveillance; and enforcement mechanisms with teeth.
So, DOGE mishandled your Social Security number. It mishandled everyone’s Social Security number. Let’s use this as a chance to finally drag data privacy laws into the 21st century.
This article was originally published on MSNBC.com
