MW The Social Security data breach is a national-security disaster that could hurt Americans for the rest of their lives: whistleblower
By Jessica Hall
Every American's personal data is at risk of fraud after DOGE's alleged mismanagement, Social Security's former chief data officer tells MarketWatch
Whistleblower Chuck Borges said the mishandling of Social Security data threatens all Americans who have or who ever had a Social Security number.
Americans' personal data - including names, Social Security numbers and addresses - are in the middle of a national-security disaster and should be investigated by Congress, says one Social Security whistleblower.
Chuck Borges says the government mismanaged the private data of anyone with a Social Security number. Borges, who was chief data officer at the Social Security Administration until he resigned in August, filed a whistleblower complaint that month that alleged the private data of every American who has or ever had a Social Security number was at risk after employees of the so-called Department of Government Efficiency, or DOGE, allegedly uploaded a copy of the SSA's database to a cloud environment that lacked oversight.
"Everyone thinks this is just another data breach. This is not just another data breach," Borges told MarketWatch. "If this data has been absconded or downloaded, you could perpetuate fraud against every single government system in existence much more easily than at any time in our history."
Read: Yes, 'DOGE' put our Social Security data at risk. Here's what lawmakers are doing about it.
The information at risk includes the names of applicants, place and date of birth, sex, citizenship, race and ethnicity, parents' names and their Social Security numbers, phone numbers, addresses and other personal information.
"This is a huge counterintelligence and intelligence-gathering opportunity. And it's a generational problem because the data Social Security keeps can't be changed - the place of your birth, your mother's maiden name. This is immutable personal information that will be compromised for children for the rest of their lives," Borges said.
The extent of the alleged data breach is not known. The ramifications of the lost data could leave Americans susceptible to blackmail, coercion, social engineering or impersonation because the Social Security Administration has so much private and personal data, Borges said.
"The possibilities are only bounded by imagination," he said. "It's definitely a national-security risk if accessed by a foreign intelligence service. This is a strategic intelligence asset, not just stolen data."
Borges's whistleblower suit also alleged that DOGE employees inappropriately accessed personal data and violated a temporary restraining order that had limited such access in the early months of 2025.
Read: Social Security's new commissioner, rule reversals and cost cuts: Here's everything that's happening at the agency
The SSA initially said in September that an internal review found that its database containing the sensitive personal information of all Americans remained secure and was not hacked, leaked or compromised.
However, in a reversal, the Trump administration admitted in a Jan. 16 court filing that DOGE shared Social Security data on an unauthorized private service called Cloudflare (NET). The filing also detailed that DOGE employees tried to hand over sensitive personal records to an unnamed advocacy group seeking to "overturn election results" and sent confidential information on about 1,000 Americans to Elon Musk's workers.
"The agency and the administration has done a complete 180 from that investigation. So is it validating? Sure. Energizing? Definitely," Borges said.
The point that remains unclear is whether the SSA's data were uploaded and stored in the cloud, Borges noted.
"Congress really needs to step in here and say that if the first two allegations were true, let's figure out where the depth and breadth of that is and let's dig into the larger allegation regarding everyone's personal information," he said.
In the January filing, the government admitted it did not know the extent to which data were shared or whether they still existed on the Cloudflare server. "Because Cloudflare is a third-party entity, SSA has not been able to determine exactly what data were shared to Cloudflare or whether the data still exist on the server," according to the court filing.
The Social Security Administration did not immediately respond to a request for comment.
The agency has been through a year of upheaval that included announcing a plan to cut 7,000 jobs, or 12% of the agency's staff, plus regional office closures, leadership changes and changes to its phone customer-service system. It has also encouraged beneficiaries to use online services, even as some older adults and people with disabilities have access issues.
"That is absolutely the most alarming thing," Borges said. "By far the most worrisome part of that was where the agency admitted that we don't know what was shared, if it were shared or if it still exists out there on systems we don't have control over."
Borges, who said he sacrificed his career at the SSA when he became a whistleblower, said his next steps include running for Maryland State Senate in 2026 in a drive to continue to serve the public and help strengthen his local community.
Read: Social Security's 'DOGE' whistleblower is running for public office as the 'longest of long shots'
Could Congress do more?
After the government's filing in January, two Democratic congressmen called for a criminal investigation into DOGE, which was charged with rooting out waste, fraud and abuse in the federal government. House Social Security Subcommittee ranking member John Larson, a Connecticut Democrat, and House Ways and Means Committee ranking member Richard Neal, a Massachusetts Democrat, said Republicans have blocked efforts to hold DOGE accountable for the alleged data mismanagement.
Other Democratic legislators have created a "war room" to call attention to the changes at the Social Security Administration and to highlight the data breach as mismanagement.
"How much danger our data is in is literally the question Congress should be asking," Borges told MarketWatch. "It could be in no danger ... or it could already be irretrievably lost."
"The answers are out there. The truth is out there. The documentation is out there to prove the data has been secure or that security settings were removed - and if that's the case, you have to assume the data is lost," he added.
Borges said there is more Congress could do.
"They are not even trying to dig at understanding the extent of this problem. I know that some congressmen are raising awareness ... but not enough is being done to understand the extent and breadth of this problem," he said.
Americans need to protect themselves
Borges advised all Americans to check on their financial accounts frequently and set up fraud alerts.
Individuals, whether they are retired or not, should also create accounts with the Social Security Administration so they can review their earnings history and what personal information the agency has, including addresses and direct-deposit information. Having access to an online "My Social Security" account also prevents scammers from creating one first.
Other resources include the Federal Trade Commission's site dedicated to fraud called IdentityTheft.gov, or checking credit reports with major credit agencies such as Experian (UK:EXPN) (EXPGY), TransUnion (TRU) and Equifax $(EFX)$.
"Stay vigilant on the systems they use and collect documentation so that you are prepared if anything in those systems changes," Borges said. "With this kind of personal-information leak, once it's gone, it's gone. Maybe nothing bad will ever happen, but once it's been downloaded or emailed one time, you don't know what the ripple effects are and you have to assume the worst-case scenario."
-Jessica Hall
This content was created by MarketWatch, which is operated by Dow Jones & Co. MarketWatch is published independently from Dow Jones Newswires and The Wall Street Journal.
(END) Dow Jones Newswires
February 04, 2026 12:42 ET (17:42 GMT)
Copyright (c) 2026 Dow Jones & Company, Inc.
Comments