The Social Security Administration's Office of Inspector General has opened an investigation into allegations that a former software engineer with access to sensitive federal systems may have improperly retained copies of major Social Security databases containing records tied to tens of millions of Americans.
The inquiry, initiated on March 6, 2026, follows a whistleblower complaint alleging that the engineer-who worked at the Social Security Administration (SSA) through the Department of Government Efficiency (DOGE)-copied restricted federal datasets and removed at least one copy from the agency using a personal storage device.
The allegations, first reported by The Washington Post and later confirmed through documents obtained by NPR and The Associated Press, have prompted scrutiny from congressional oversight committees responsible for federal data security and government operations.
According to a letter from the acting inspector general sent to leaders of four congressional committees, the watchdog office is reviewing an anonymous complaint "on matters relating to the potential misuse of SSA data by a former DOGE employee, among other allegations."
The whistleblower claims the engineer may have accessed two of the federal government's most sensitive data systems.
Those systems include:
- NUMIDENT (Numerical Identification System) - the SSA's master identity file containing personal information for nearly every Social Security number issued
- Death Master File - a federal record tracking individuals reported as deceased
Together, the databases contain information covering more than 500 million records of living and deceased Americans, according to reporting by The Washington Post.
The whistleblower complaint alleges that the engineer told colleagues at a private-sector employer that he possessed copies of both datasets and intended to strip identifying information before integrating the remaining data structure into company systems.
The complaint also claims the engineer described maintaining what he called "God-level" access to SSA systems, referring to the ability to query, modify or export data without normal restrictions.
The engineer's attorney denied the allegations, telling The Washington Post that no federal data had been removed and that the claims were unfounded.
The Social Security Administration also rejected the accusations in a public statement.
"The allegations by a singular anonymous source have been strongly refuted by all named parties - SSA, the former employee, and the company," the agency said, calling the report "fake news."
However, the current complaint echoes earlier warnings raised by SSA officials about data governance concerns inside the agency.
In August 2025, Charles Borges, then the SSA's chief data officer, filed a protected whistleblower disclosure alleging that officials associated with the Department of Government Efficiency had copied the NUMIDENT database into a privately managed cloud system lacking independent security controls.
According to Borges, internal cybersecurity staff had flagged the request as "very high risk."
An SSA risk assessment dated June 16, 2025, reportedly warned that "production data should not be used."
Despite the warning, the transfer was approved by Michael Russo, a DOGE-affiliated official serving briefly as SSA's acting chief information officer.
His authorization reportedly consisted of a single word: "Approved."
SSA Chief Information Officer Aram Moghaddassi later granted a provisional authorization for the system to operate, writing in a decision cited by NPR: "I have determined the business need is higher than the security risk associated with this implementation and I accept all risks associated with this implementation and operation."
Borges resigned from the agency three days after filing his whistleblower complaint in 2025.
In his resignation letter to SSA Commissioner Frank Bisignano, Borges wrote that he was "regretfully involuntarily leaving" and described the agency environment as "a culture of panic and dread, with minimal information sharing, frequent discussions on employee termination and general organisational dysfunction."
Speaking to NPR on March 11, 2026, Borges warned that the new allegations could represent a far more serious breach if proven true.
"This is exactly the scenario that kept me up at night," Borges said. "An irrecoverable loss of the entirety of our personal data. Once that data has left the building, you cannot close Pandora's box again."
