Former SSA Engineer Allegedly Exfiltrated Sensitive Data on Thumb Drive
A whistleblower complaint, reported by The Washington Post, alleges that a former software engineer with the Department of Government Efficiency (DOGE) exfiltrated highly restricted Social Security Administration (SSA) databases onto a thumb drive. The SSA’s Office of Inspector General is investigating the incident, which raises concerns about insider threats, removable media controls, and the protection of sensitive federal data.
The engineer, who worked with DOGE while embedded at the SSA, reportedly claimed to have taken two critical datasets the Numident and the Death Master File and intended to use the information at a new employer. The Numident is the SSA’s master record of Social Security numbers, containing names, birth details, citizenship status, and parental information, while the Death Master File includes records of deceased individuals, a dataset tightly controlled due to identity theft risks. If verified, the stolen material could involve data linked to over 500 million living and deceased individuals, amplifying risks of identity theft, credit fraud, tax refund fraud, and synthetic identity schemes.
Insider threats remain a persistent challenge in cybersecurity, with privileged users often bypassing perimeter defenses. Removable media, such as thumb drives, further exacerbates the risk, as even robust endpoint detection can fail to prevent large-scale exfiltration without strict controls. Federal guidelines, including NIST SP 800-53, mandate least-privilege access, continuous monitoring, and restrictions on portable storage to mitigate such risks.
The SSA’s investigation will likely examine access logs, removable media registries, and anomalous data transfers tied to the engineer. If violations are confirmed, potential legal consequences could include charges under the Privacy Act, Computer Fraud and Abuse Act, and theft of government records. Standard containment measures such as suspending credentials, forensic imaging of systems, and validating seized devices are expected.
This incident follows broader controversies involving DOGE’s access to SSA systems, including previous allegations of improper data handling and unauthorized cloud uploads. A federal judge previously blocked DOGE from further SSA access, citing concerns over mission clarity and privileged access controls.
Investigators are focusing on three key questions: what data was accessed, what was removed, and who else may have received it. Agencies handling SSA data are under pressure to demonstrate stronger controls over removable media, just-in-time privilege elevation, and real-time data loss prevention (DLP) for sensitive datasets. For affected individuals, credit freezes, tax transcript monitoring, and vigilance for benefits-related anomalies remain critical precautions.
Source: https://www.findarticles.com/report-says-doge-employee-stole-social-security-data/
Social Security Organization, IRAN cybersecurity rating report: https://www.rankiteo.com/company/social-security-organization
"id": "SOC1773184594",
"linkid": "social-security-organization",
"type": "Breach",
"date": "3/2026",
"severity": "100",
"impact": "5",
"explanation": "Attack threatening the organization's existence"{'affected_entities': [{'customers_affected': '500 million living and deceased '
'individuals',
'industry': 'Public Sector',
'location': 'United States',
'name': 'Social Security Administration (SSA)',
'size': 'Large',
'type': 'Government Agency'},
{'industry': 'Public Sector',
'location': 'United States',
'name': 'Department of Government Efficiency (DOGE)',
'type': 'Government Contractor'}],
'attack_vector': 'Removable Media (Thumb Drive)',
'customer_advisories': 'Affected individuals should consider credit freezes, '
'tax transcript monitoring, and vigilance for '
'benefits-related anomalies.',
'data_breach': {'data_exfiltration': 'Yes (via thumb drive)',
'number_of_records_exposed': '500 million (living and '
'deceased individuals)',
'personally_identifiable_information': 'Yes',
'sensitivity_of_data': 'High (Personally Identifiable '
'Information, sensitive federal data)',
'type_of_data_compromised': ['Social Security numbers',
'Names',
'Birth details',
'Citizenship status',
'Parental information',
'Death records']},
'description': 'A whistleblower complaint alleges that a former software '
'engineer with the Department of Government Efficiency (DOGE) '
'exfiltrated highly restricted Social Security Administration '
'(SSA) databases onto a thumb drive. The SSA’s Office of '
'Inspector General is investigating the incident, which raises '
'concerns about insider threats, removable media controls, and '
'the protection of sensitive federal data.',
'impact': {'brand_reputation_impact': 'High (SSA and DOGE)',
'data_compromised': 'Numident and Death Master File datasets',
'identity_theft_risk': 'High (500 million living and deceased '
'individuals at risk)',
'legal_liabilities': 'Potential charges under Privacy Act, '
'Computer Fraud and Abuse Act, and theft of '
'government records',
'operational_impact': 'Potential legal consequences, reputational '
'damage to SSA and DOGE',
'systems_affected': 'SSA databases'},
'investigation_status': 'Ongoing (SSA Office of Inspector General)',
'lessons_learned': 'Insider threats remain a persistent challenge; removable '
'media controls and real-time data loss prevention (DLP) '
'are critical for sensitive datasets. Agencies must '
'enforce least-privilege access, continuous monitoring, '
'and just-in-time privilege elevation.',
'motivation': 'Intended use at a new employer',
'post_incident_analysis': {'corrective_actions': ['Implementing stricter '
'removable media policies',
'Enhancing monitoring and '
'logging of data access',
'Reviewing and enforcing '
'least-privilege access '
'controls'],
'root_causes': ['Lack of strict removable media '
'controls',
'Insufficient monitoring of '
'privileged users',
'Potential non-compliance with '
'NIST SP 800-53 guidelines']},
'recommendations': ['Implement strict removable media controls',
'Enforce least-privilege access and just-in-time '
'privilege elevation',
'Deploy real-time data loss prevention (DLP) for '
'sensitive datasets',
'Enhance monitoring of privileged users and anomalous '
'data transfers',
'Conduct regular audits of access logs and removable '
'media registries',
'Educate employees on insider threat risks and data '
'handling policies'],
'references': [{'source': 'The Washington Post'}],
'regulatory_compliance': {'legal_actions': 'Potential charges under Privacy '
'Act, Computer Fraud and Abuse '
'Act, and theft of government '
'records',
'regulations_violated': ['Privacy Act',
'Computer Fraud and Abuse '
'Act',
'NIST SP 800-53 (potential '
'non-compliance)']},
'response': {'containment_measures': 'Suspending credentials, forensic '
'imaging of systems, validating seized '
'devices',
'enhanced_monitoring': 'Access logs, removable media registries, '
'anomalous data transfers'},
'stakeholder_advisories': 'Agencies handling SSA data must demonstrate '
'stronger controls over removable media and '
'privileged access.',
'threat_actor': 'Former SSA Engineer (Insider)',
'title': 'Former SSA Engineer Allegedly Exfiltrated Sensitive Data on Thumb '
'Drive',
'type': 'Insider Threat, Data Exfiltration',
'vulnerability_exploited': 'Lack of strict removable media controls, '
'insufficient monitoring of privileged users'}