Brittany Borges spent years inside the Social Security Administration helping protect the personal records of hundreds of millions of Americans. When she resigned in May 2026, she did not leave quietly. In a whistleblower complaint filed with the U.S. Office of Special Counsel, Borges alleged that staff linked to the Department of Government Efficiency had copied SSA’s core database, containing the records of more than 300 million people, into a cloud environment with little or no security oversight.
If confirmed, the episode would represent the largest known exposure of sensitive federal records in American history, surpassing every previous government data breach by an order of magnitude.
The full complaint has not been made public. But its central claims have been reported by The Washington Post and The Associated Press, both of which obtained details from Borges’s resignation letter and people familiar with the filing.
What the whistleblower alleges
According to those reports, DOGE personnel copied SSA’s master database into a cloud environment running on the agency’s own Amazon Web Services infrastructure. That database holds full names, dates of birth, Social Security numbers, earnings histories, benefit amounts, disability determinations, and, in many cases, the bank account details used for direct deposit.
Borges alleged that the cloud account operated outside the standard federal security protocols required for personally identifiable information. She described controls that were either bypassed or never established, meaning the copied records may have sat in an environment that failed to meet the requirements of the Federal Information Security Modernization Act (FISMA), the law governing how agencies protect sensitive data. Separately, the Privacy Act of 1974 imposes its own restrictions on how federal agencies collect, maintain, and share personal records, and violations can carry civil penalties.
The scale of the alleged exposure has no precedent. The 2015 breach of the Office of Personnel Management, long considered the worst cyber incident in federal history, compromised roughly 22 million records. The 2017 Equifax breach affected about 147 million consumers. If Borges’s account is accurate, this single duplication dwarfs both combined.
What DOGE is and why it had access
The Department of Government Efficiency was created by executive order on January 20, 2025, and tasked with cutting waste, fraud, and redundant spending across the federal government. Led by Elon Musk and staffed in part by engineers and analysts recruited from the private sector, DOGE quickly sought access to databases at the Treasury Department, the Office of Personnel Management, and SSA, arguing that bulk data analysis was essential to identifying inefficiencies.
That access drew immediate legal challenges. Federal judges in multiple cases, including lawsuits brought by labor unions and privacy advocates, questioned whether DOGE staff held the clearances and authorizations required to view protected records. At SSA specifically, the agency was already under strain from workforce reductions and field office closures, leaving fewer career employees in a position to push back on data requests from a White House-backed initiative.
Borges’s complaint suggests that internal resistance did exist but was ultimately overridden. Colleagues reportedly debated whether DOGE’s project fell under existing data-sharing authorities or required new approvals. No public evidence indicates those discussions produced a directive to halt or remediate the cloud copy before Borges resigned.
What remains unconfirmed
Several critical facts are still locked behind agency walls. No SSA or AWS access logs documenting the exact copy operation, its date, or which individuals initiated it have surfaced publicly. The full text of Borges’s resignation letter and her Office of Special Counsel filing have not been released, so the precise technical claims she presented are known only through secondhand descriptions.
Neither DOGE nor SSA leadership has issued a public statement confirming or denying the existence of the cloud account or the alleged duplication. That leaves open competing possibilities: the copy may have been authorized through channels Borges was not aware of, or the environment may have had security controls she did not have visibility into. Equally, the allegations may be exactly as described, with no one in authority willing to say so on the record.
The purpose of the alleged copy is also unresolved. DOGE staff may have sought to run bulk analytics to flag fraud, duplicate payments, or other inefficiencies, a goal consistent with the department’s stated mission. If so, the central question becomes whether the environment met FISMA requirements and whether proper authorization and privacy impact assessments were completed before the transfer. No documentation of any such review has been made public.
Borges’s disclosure focuses on the absence of mandated controls rather than on evidence that outside actors accessed the data. But without a forensic audit or a transparent accounting of who held credentials to the AWS environment, the risk of exposure remains unquantified.
What it means for ordinary Americans
If the allegations hold, virtually every American who has ever held a job or received Social Security benefits could have had their most sensitive personal information placed into an environment without the protections the law requires. That includes data sufficient for identity theft, tax fraud, and financial impersonation on a massive scale.
As of June 2026, no federal agency has announced a breach notification, offered credit monitoring, or issued public guidance about steps to take in response. That gap between the severity of the allegation and the absence of any protective response is difficult to explain and impossible to ignore.
Cybersecurity experts and consumer advocates have urged anyone concerned to take several steps now rather than wait for a federal response:
- Place a free credit freeze with all three major bureaus (Equifax, Experian, and TransUnion). A freeze prevents new accounts from being opened in your name and costs nothing.
- Monitor your my Social Security account for unauthorized changes to contact information, direct deposit details, or benefit elections.
- Review your annual earnings statement for wages or employers you do not recognize, which can indicate someone is using your Social Security number for employment fraud.
- Request an IRS Identity Protection PIN through the IRS IP PIN tool, which prevents someone from filing a fraudulent tax return using your Social Security number.
Where federal investigators and Congress go next
Filing with the Office of Special Counsel is a formal legal act that triggers protections against retaliation and can lead to referrals for investigation by inspectors general or congressional committees. The office has not publicly disclosed the status of Borges’s complaint. While the filing process is designed to deter baseless claims, and knowingly false statements can carry penalties, the existence of a complaint is not proof that every allegation within it is accurate.
On Capitol Hill, multiple Democratic senators, including Ron Wyden of Oregon and Chris Murphy of Connecticut, have called for hearings and demanded that SSA’s inspector general open a formal probe. Some Republican lawmakers have expressed concern as well, though party leadership has largely deferred to the administration’s position that DOGE’s work is authorized and necessary.
The strongest evidence available to the public right now is procedural: a career civil servant filed a specific, detailed complaint through an official channel and then walked away from her job. What the public does not have is the primary technical evidence, the server logs, access records, configuration files, and internal audit reports, that would confirm or refute the claim. Until investigators or congressional overseers obtain and release those findings, the picture remains stark but incomplete: a claimed mass duplication of Social Security data into the cloud, potentially outside every guardrail meant to protect the privacy of nearly every working American, and a government that has yet to say a word about it.
