A former software engineer at the Department of Government Efficiency allegedly retained access to two of the Social Security Administration’s most sensitive databases — including personal records on more than 500 million living and deceased Americans — and stored the data on a personal thumb drive. According to a whistleblower complaint, he planned to share it with his private employer.
If these allegations are accurate, this would be one of the largest government data breaches in American history. Not from a foreign hacker or a sophisticated ransomware group, but from someone the government invited inside.
What the Whistleblower Claims
The complaint, first reported by The Washington Post on March 10, 2026, alleges that a former DOGE employee accessed two critical SSA databases:
The NUMIDENT file — the master database containing Social Security numbers, birth dates, birthplaces, and parents’ names for nearly every person ever issued an SSN. This includes over 500 million records of both living and deceased Americans.
The Death Master File — records of deceased individuals, commonly used to verify death for benefits and fraud prevention.
According to the whistleblower, the former employee told colleagues at his new job that he “possessed” these databases and planned to use the information at his private company. He allegedly claimed to have retained “God-level” access to SSA systems even after leaving DOGE.
The SSA’s Office of Inspector General is now investigating. Congressional leaders from multiple committees were notified on March 6, 2026.
The SSA’s Response
The Social Security Administration has disputed the allegations. A spokesperson stated that “the allegations by a singular anonymous source have been strongly refuted by all named parties.”
But the inspector general’s decision to investigate — and to notify Congress — suggests the complaint is being taken seriously. And this is not the first time DOGE’s handling of SSA data has raised alarms.
A Pattern of Concern
In January 2026, the SSA disclosed that DOGE employees had “improperly shared sensitive data” in 2025. Two DOGE members were suspected of accessing and sharing Social Security numbers they weren’t authorized to see.
Representative Robert Garcia, ranking member of the House Oversight Committee, has expanded his investigation following the new allegations. “Not only has an ex-DOGE bro been accused of running around with the Social Security information of every American on a flash drive,” Garcia said, “he also may have the ability to edit and manipulate data at the Social Security Administration at will.”
Senator Ron Wyden called the allegations “one of the largest known data breaches in American history, perpetrated by Trump appointees for the explicit purpose of weaponizing Americans’ sensitive personal data for political gain.”
Why This Is Different
This isn’t a typical data breach. A ransomware gang didn’t break in. A foreign intelligence service didn’t exploit a vulnerability. According to the allegations, someone with legitimate access walked out the door with America’s most sensitive government database on a consumer storage device.
Charles Borges, former SSA Chief Data Officer, put it bluntly: “Once that data has ‘left the building’, you cannot close Pandora’s box again.”
The NUMIDENT database is not something that should ever exist on a thumb drive. It’s not something that should be accessible to anyone who can copy it. This is foundational identity data — the kind that enables everything from credit fraud to synthetic identity theft to targeted surveillance.
And if the allegation about retained “God-level” access is true, the problem extends beyond data theft. It suggests someone outside the government may still have the ability to read, modify, or delete Social Security records.
What You Can Do
If you have a Social Security number — which means virtually every American — there’s no way to opt out of this potential exposure. The data was collected before you were old enough to consent, and it lives in government systems you have no control over.
But you can limit the damage:
Freeze your credit at all three bureaus (Equifax, Experian, TransUnion). This prevents anyone from opening new accounts using your stolen identity data.
Set up an IRS Identity Protection PIN to prevent tax refund fraud. Visit the IRS website to request one.
Consider freezing your National Consumer Telecom & Utilities Exchange (NCTUE) report to prevent fraudulent utility accounts.
Monitor your Social Security statement at ssa.gov for any suspicious activity or unauthorized changes to your record.
File your taxes early before criminals can file a fraudulent return in your name.
The Limits of Centralization
This incident exposes a fundamental problem with centralized data systems: they create single points of catastrophic failure. When you concentrate 500 million people’s identity records in one place, you create an irresistible target. And when you give outside contractors access to that system with insufficient oversight, you’ve made the breach almost inevitable.
The government cannot un-collect this data. It cannot give you back control over information it gathered before you could walk. But this is precisely why privacy-conscious individuals and organizations are moving toward services that minimize data collection in the first place — and that store what they must collect under jurisdictions with strong legal protections.
Your Social Security number was assigned at birth without your consent, and apparently it’s now on someone’s thumb drive. The lesson isn’t that you should have been more careful. The lesson is that systems which collect and concentrate sensitive data at this scale are inherently dangerous — and the people running them are not always trustworthy.
We’ll update this article as the investigation develops.