[KingOfCoders]

Ex-employee alleges data copied to a flashdrive.

Agency: "Social Security initially denied Borges’s allegations and said the data referenced in his complaint is stored in a secure environment walled-off from the internet."

Ah walled of the internet, so no one can get there and copy the data to a flashdrive. Move on, move on!

You can't make that up.

[doomboiardee]

The only way someone could get that data is if they demanded physical access and fired anyone who stood in the way. An impossible task if you ask me!

[hotsauceror]

If I recall, that was exactly what happened early on in DOGE's tenure. Senior personnel were explicitly directed to grant admin access to DOGE personnel, and auditing/logging were disabled. This was widely reported at the time. I don't remember whether there were threats of termination, but it would not surprise me.

[FireBeyond]

The "fun" thing was when some agencies started then seeing access attempts from Russian IPs sometimes as soon as 15 minutes after this happened, using credentials that were valid and created by/for DOGE people...

[abustamam]

Honest question. Why isn't stuff like this a bigger deal? Why isn't anyone being held accountable for what is undeniably a national security incident?

I can understand why the administration would try to bury it. But I wouldn't have heard of most of the shitty stuff Doge employees have done were it not for HN. Why isn't this getting more media coverage?

[FireBeyond]

Right? And many of the DOGE people who were outed were shown/known/had convictions for being involved in cybercrime gangs and such. I get it, in a controlled manner, for some cybersecurity jobs, but even at face value, that was nothing about what was DOGE was doing.

[Cipater]

Because the US populace and US media only holds Democrats to account.

Republicans can do whatever they want.

[lelandbatey]

Yes, that's the joke

[hotsauceror]

Sorry. I started switching off of coffee this week...

[hodgesrm]

> You can't make that up.

Unfortunately it seems quite believable. This is the same outfit that fired a bunch of people responsible for overseeing the US Nuclear Arsenal. [0] The combination of arrogance and stupidity was breathtaking.

[0] https://thebulletin.org/2025/04/doges-staff-firing-fiasco-at...

[tantalor]

> secure environment

> copied to a flashdrive

Both of these cannot be true. A secure environment does not allow trivial data exfiltration over USB.

[HillRat]

Contemporaneous reporting was that DOGE people demanded root-level access across multiple systems (disallowed by federal policy, so political appointees had to demand the access) and without background checks or onboarding, after which they extracted protected data and shoved it in some S3 buckets. Just blew a hole right through the entire federal data protection model; you can't plan for "the President orders everyone to ignore all privacy and security controls" as a threat model.

[Uvix]

True, but you can at least correctly label it and no longer refer to it as a "secure environment".

[tw04]

It was absolutely a secure environment prior to DOGE laying waste to all the layers of security in place. Presumably those safeguards are now back in place post-DOGE razing.

[0cf8612b2e1e]

Not unless they rebuild all of the infrastructure from scratch. Far too believable that something nefarious was left behind.

[input_sh]

After you know someone already had root access to everything?

There's absolutely no way to guarantee that ever again.

[doctorpangloss]

Was it though? Haha

You sound like the guys I know who work at banks, talking about all this policy, how secure they are.

[tantalor]

Indeed. The story should be that DOGE compromised these environments (at the direction of President), which allowed data to be exfiltrated by randos.

[nxobject]

That would be an admission of culpability, sadly.

[vntok]

Maybe it wasn't trivial?

[wat10000]

While it's hard to overestimate the clownishness of this administration, I'd want to see the original wording of this denial before concluding that they said something that stupid, versus the author of this article paraphrasing it in a stupid manner. I'm not sure if this is what they're referring to, but the only response from the SSA that I found with a brief search doesn't say anything so foolish: https://dailycaller.com/2025/09/02/social-security-administr...

[tw-20260303-001]

Nothing nerve wrecking like that but come on. They claim "the information could not have been stolen because the security practices" but "evidence has been published online, is now available to anyone and therefore it is dangerous" is a clown situation. It doesn't matter how it happened, it happened. Them trying to dispute the method is a clown camp.

[wat10000]

The agency's statement says that PII is secure but that the complaint included internal emails and documents with info about the agency's systems and employees. That's not contradictory.

I suspect the whistleblower is correct, but I don't think it's proven to the point where we can confidently state that "it happened." SSA isn't trying to dispute the method, they're trying to dispute the fundamental claim.

[tw-20260303-001]

It might be worth waiting for the outcome of the investigation before trying to dispute anything in public statements.

[actionfromafar]

Kristi Noem doesn't operate like that either. It's a pattern.

[mrmanner]

I mean technically a flash drive could be "a secure environment walled-off from the internet"

[NegativeLatency]

An intranet could be a secure environment walled off from the internet

[mcmcmc]

Hard disagree. How can it be “walled off” from the internet if it’s not connected? Despite the jokes, cutting access on its own is not the same as air gapping or a firewall. As soon as it’s plugged in there are zero controls.

[croes]

Technically they could claim it’s a backup

[vntok]

An unplanned, decentralized, public backup?

[manwe150]

And it is not connected to the internet, the internet is connected to it (I’m not in here with you, you’re in here with me)