Whistleblower claims ex-DOGE member says he took Social Security data to new job

Original Article ↗ Hacker News Discussion ↗

Motives and Psychology of Data Exfiltration

  • Several commenters say young or immature engineers might hoard sensitive data out of curiosity, ego, or desire to impress, not just for money.
  • Others reject this as an excuse, stressing that taking Social Security data is obviously criminal regardless of intent or age.
  • Some see it as useful self-reflection that might prompt others to delete old, improperly kept data; others worry it risks downplaying a serious crime.

Insider Risk vs. Hiring and System Design

  • Debate over whether the core failure is:
    • Poor hiring and vetting (e.g., “immature,” ideologically driven staff in highly sensitive roles), or
    • System design that allowed excessive, poorly audited access and trivial exfiltration.
  • Multiple comments claim DOGE dismantled or bypassed preexisting controls, demanded root/admin access, and disabled logging, making exfiltration easier.
  • Some argue you must assume bad or naive actors will get in and design systems (least privilege, approvals, audits) accordingly.

Nature and Severity of the Alleged Breach

  • Whistleblower alleges full SSA data copied to a flash drive and taken to a new employer.
  • Agency statements described the data as in a “secure, walled-off environment”; commenters mock this as incompatible with easy USB export.
  • Some note SSA publicly disputes that the core PII was exfiltrated; others believe it likely happened but emphasize it’s not yet conclusively proven.
  • Comparisons are made to past insider cases (e.g., NSA hoarding) and to large foreign hacks; disagreement over which is worse or more systemic.

Political Responsibility and Accountability

  • Many blame the administration that created DOGE, saying it:
    • Empowered poorly vetted personnel.
    • Overrode standard federal security and auditing practices.
    • Used DOGE as political theater or a vehicle for data access.
  • Others argue focusing on a lone actor is a weak line of attack or note double standards when comparing to prior administrations’ cybersecurity failures.
  • Strong sentiment that only serious criminal charges and refusal to rely on pardons will deter future abuses; skepticism that this will actually happen.

Potential Uses and Risks of Stolen SSA Data

  • Speculated uses include ad tech, banks, healthcare, data brokers, AI/LLM training, political targeting, voter suppression, and foreign intelligence.
  • Some think reputable firms would avoid obviously illicit PII due to existential legal risk; others argue immense incentives and legal firepower make misuse plausible.