The Social Security Administration's internal watchdog is investigating allegations that a former software engineer from the Department of Government Efficiency possessed two of the agency's most sensitive databases and attempted to transfer them to a private contractor, according to reporting from The Washington Post.
A whistleblower claims the former DOGE engineer said he possessed the "Numident" and "Master Death File" databases and asked for help transferring them from a thumb drive "to his personal computer so that he could 'sanitize' the data before using it at [the company]," an unnamed government contractor where he is currently employed. Those databases include personal information about more than 500 million living and deceased Americans.
What distinguishes this allegation from previous concerns about DOGE's data handling is its directness. The whistleblower complaint was filed with the inspector general in January. When contacted by the Post at that time, both the SSA and the contractor denied knowledge of the complaint and said they found no evidence to support the claims. The fact that an investigation has now been launched suggests the inspector general's office viewed the allegations seriously enough to pursue them.
The former DOGE software engineer reportedly stole Americans' personal data from the Social Security Administration and stored it on a thumb drive, telling co-workers at his new job that he "possessed two tightly restricted databases of U.S. citizens' information" and was planning to use the information at his new company. The former DOGE employee worked at the Social Security Administration last year.
These allegations arrive amid a broader pattern of concern about DOGE's access to sensitive government systems. In August, a different whistleblower complaint alleged that DOGE members had gained access to and mishandled SSA data, with Charles Borges, the agency's former chief data officer, claiming that a database was stored in an unsecured cloud environment.
When asked about the latest allegations, Borges told The Post: "This is absolutely the worst-case scenario. There could be one or a million copies of it, and we will never know now." His comment captures a central tension in the investigation: the difficulty in verifying what data may have been copied, by whom, and where it currently resides.
The scope of the databases in question deserves emphasis. The "Numident" and "Master Death File" databases could include records for more than 500 million living and dead Americans, including Social Security numbers, places and dates of birth, citizenship, race and ethnicity, and parents' names. For identity theft purposes, such a dataset would be extraordinarily valuable. The Numident is the master system the SSA maintains for every individual who has applied for a Social Security number since 1936.
Another whistleblower within the agency last year said that DOGE members put Americans at risk by uploading hundreds of millions of Social Security records to a vulnerable cloud server. Also last year, a judge blocked DOGE from accessing SSA systems, accusing the Musk-led agency of being "essentially engaged in a fishing expedition" in search of fraud.
The investigative burden facing the inspector general is substantial. Without knowing how the databases were accessed, copied, or secured, the watchdog must determine whether the allegations have merit. The employee in question has denied wrongdoing through counsel, yet the very fact that a whistleblower felt compelled to report the matter suggests genuine concern about data security practices.
For ordinary Americans, the implications are stark. If such databases were indeed copied and transferred outside government systems, the potential for misuse multiplies. The data points contained in these files provide what amounts to a master key for identity theft: verified identities, family connections, and the administrative trail that makes fraud possible at scale.
Congress and the Government Accountability Office have both been notified of the investigation. The question now is whether the inspector general's probe can establish what actually occurred, and whether institutional mechanisms exist to hold accountable anyone found to have violated the public trust.