Some of us were a bit (okay, a lot) worried when earlier this year Department of Government Efficiency (DOGE) representatives started poking around in government files.
Two of the agencies they examined, the Internal Revenue Service and Social Security Administration, contain personal details on millions of people.
Today, we learned that our concern about what was happening to our data was valid.
Blowing the whistle on DOGE data practices: Social Security Administration (SSA) Chief Data Officer Charles Borges says that DOGE personnel bypassed agency safeguards, circumvented a court order, and created a copy of the SSA’s entire collection of all the data on the cloud.
Borges alleges that DOGE did not involve him in discussions about the project, despite his position. He said he pieced the evidence together, and provided examples in his whistleblower report, after the information, known as the Numerical Identification System (NUMIDENT) database, had been copied to the cloud.
NUMIDENT includes records of all Social Security numbers ever issued, as well as individuals’ full names, addresses, and birth dates. Other information in the files includes health diagnoses, income, banking information, familial relationships, and personal biographic data.
Borges’ report contained more than two dozen pages of internal emails, memos, and other records to document his claims. He also contends that the DOGE actions “potentially violated multiple federal statutes” designed to protect government data.
The array of data makes it one of the most sensitive collections of personal information in the world. The critical personal info on more than 300 million people could be at risk.
No breach (yet): To be clear, Borges did not say that individuals’ Social Security information had been compromised.
However, the complaint supported by Borges’ account and submitted to House and Senate oversight lawmakers notes that the “vulnerable cloud environment” now holding the data “apparently lacks any security oversight from SSA or tracking to determine who is accessing or has accessed the copy of this data.”
“Should bad actors gain access to this cloud environment, Americans may be susceptible to widespread identity theft, may lose vital healthcare and food benefits, and the government may be responsible for re-issuing every American a new Social Security Number at great cost,” added Dana L. Gold and Andrea Meza, attorneys at the Government Accountability Project (GAP), a whistleblower protection group that is representing Borges.
Borges report is the latest complaint against DOGE and the Trump administration’s efforts to gain unprecedented access to vast troves of personal data collected by the federal government to ostensibly eliminate waste, fraud, and abuse.
Protecting your data: If your personal data, whether stored by DOGE in the cloud or maintained by some other private group or government agency, is compromised, you’ll need to act. Fast.
Start by going to IdentityTheft.gov. I know, it seems counterintuitive to seek Uncle Sam’s help when one of his agencies could be the source of your identity theft issue, but the web page has lots of resources.
Here are some of the highlights.
Freeze your credit to make it harder for someone to use your information. A credit freeze keeps people from getting into your report. While a freeze is in place, nobody can open a new credit account.
- Experian.com/help or call 888-EXPERIAN (888-397-3742)
- TransUnion.com/credit-help or call 888-909-8872
- Equifax.com/personal/credit-report-services or call 800-685-1111
You can freeze your credit for free. You also can temporarily lift the freeze if you need to apply for new credit.
Even after you’ve frozen your credit, keep checking your credit reports periodically, just in case. This is a good first alert for anything you might not recognize. You can check your reports online every week for free at AnnualCreditReport.com.
You also can establish, again at no cost, a one-year fraud alert by contacting one of the three credit bureaus. A fraud alert makes it harder for someone to open a new credit account in your name because a business has to verify your identity before it opens the account.
Accept free credit monitoring if it’s offered. Credit monitoring services scan activity that shows up on your credit reports. Depending on the service, it will usually alert you when something happens on your credit reports, like a company checking your credit, a new loan or credit card, or a company reporting a late payment.
Change passwords to critical financial accounts. Make the new password a strong one, starting by making it long. If possible, also change your username. Also consider using two-factor authentication, which offers extra security by requiring two or more credentials to log into your account. FTC.gov/passwords has more advice on passwords and protecting accounts.
Where a bank account might be vulnerable, review transactions regularly to make sure no one is misusing your account. Check into setting up alerts from your financial institution so that it will contact you when transactions are suspect.
Be vigilant for possible scams. Crooks who get access to your personal information often will try to get you to help them steal your identity and money. This includes mail and text schemes. Never reply. Never open an attachment. If you are concerned there might be a legitimate issue with an account, contact the company directly using the information on your statements and bills.
Tax security, too: As for taxes, get an Identity Protection Personal Identification Number, or IP PIN. An IP PIN is a special six-digit number issued by the IRS, and is available to all who have a Social Security number (SSN) or an Individual Taxpayer Identification Number (ITIN).
Getting an IP PIN is a smart move because it lets the IRS verify that it is indeed you who has filed your tax return. Once you have the six-digit code, the agency won’t accept an electronically filed return in your name without it. If a paper return shows up without the IP PIN, it will get added IRS scrutiny.
An IP PIN, essentially locks your tax account so that it cannot be opened without the special identifying number.
Finally, create a taxpayer account at IRS.gov. Once you create your secure Individual Online Account, you can monitor all your tax activity. This includes —
- Finding out how much you owe,
- Looking at your payment history,
- Viewing, printing, or downloading your tax transcripts,
- Seeing your prior year adjusted gross income (AGI), and
- Obtaining information return documents to assist in filing your claims.
The possibility that our Social Security data could be compromised is worrying. But don’t let it, or the potential of other data breaches, overtake your life. Instead, be proactive in protecting your data. And if any breach ever occurs, and act immediately and accordingly to limit its impact on your life.
You also might find these items of interest:
- How to report tax scams and fraud
- IRS’ latest moves enable more digital taxpayer interactions
- Watch for these data theft red flags, by tax and other financial crooks
James A
Wouldn’t an Identity Protection Personal Identification Number, or IP PIN be compromised as well, because in order to validate it, IRS would have to locally store this code and later verify it, so anyone who copied the entire database would also obtain that code?