The Social Security Administration holds the most comprehensive database of American personal information in existence. Your name. Your Social Security number. Your date of birth. Your address. Your parents’ names. Your citizenship status. Every American who has ever applied for a Social Security card is in there — which means essentially every living American.

According to a federal whistleblower, all of it was copied to an unauthorized server. Without required security protocols. Without SSA oversight. Without tracking of who was accessing it.

The whistleblower is Chuck Borges. The alleged perpetrators are DOGE staffers embedded at the Social Security Administration. And the implications — if the allegations hold up — represent the largest unauthorized exposure of government personal data in American history.

What the Whistleblower Alleges

Borges, a former SSA official, filed a whistleblower complaint alleging that DOGE staffers repeatedly violated internal SSA policies and federal law in their quest to build a consolidated database of every American.

The core allegation: DOGE employees copied a dataset of more than 300 million Americans’ sensitive information into a virtual database — hosted on an unauthorized Cloudflare server — without following required security protocols.

The database copy, according to Borges, contains:

  • Full legal names
  • Social Security numbers
  • Dates of birth
  • Home addresses
  • Citizenship status
  • Parents’ names
  • Other personal information

According to the complaint, the copied database “apparently lacks any security oversight from SSA or tracking to determine who is accessing or has accessed the copy of this data.”

In plain English: nobody knows who’s been looking at it.

The Thumb Drive Allegation

The unauthorized server wasn’t the end of it. In March 2026, new allegations emerged from a separate whistleblower — this one a former DOGE software engineer at SSA.

According to reporting by The Washington Post and confirmed by TechCrunch, this engineer claimed to have retained copies of sensitive databases on a personal thumb drive. The engineer also claimed to have maintained what they described as “God-level” access to SSA systems — meaning unrestricted access to essentially everything the agency holds.

Congressional Democrats announced an expanded probe following these allegations. The House Oversight Committee’s ranking member Robert Garcia called the situation “an explosive new development” and said it represented a fundamental breach of the Privacy Act of 1974.

The Social Security Administration’s Office of Inspector General subsequently opened a formal investigation.

Twelve Lawsuits and a Privacy Act

At least 12 federal lawsuits have been filed alleging that DOGE’s data collection activities violated the Privacy Act of 1974 — the federal law governing how government agencies can collect, store, and share Americans’ personal information.

The Privacy Act places strict limits on which agencies can access which records, for what purposes, and under what conditions. It generally requires that data collected for one purpose cannot be repurposed without explicit legal authorization.

DOGE’s alleged approach — embedding young software engineers in agencies to harvest data across departmental silos, combine it into centralized databases, and share it with outside entities — potentially violates the Act on multiple grounds.

The lawsuits allege violations across at least a dozen federal agencies, including:

  • Treasury Department — payment systems containing SSNs, tax returns, home addresses, birth dates
  • Office of Personnel Management — background check files, medical records, bank account information, biometric data of federal employees
  • Social Security Administration — the 300M-record database
  • Department of Education
  • Department of Labor
  • Department of Health and Human Services

The DOJ Acknowledgment

Perhaps most damaging: the Department of Justice itself acknowledged misconduct.

According to reporting by federal employee union AFSCME, the DOJ confirmed that:

  • Individuals’ personal data was disclosed to third parties using a non-government server
  • A DOGE team member at SSA entered into a “Voter Data Agreement” after being asked by someone outside the government to analyze state voter rolls

That second point is particularly alarming. Federal employee records and Social Security data were allegedly being cross-referenced against voter rolls at the request of an unspecified external party.

The Fourth Circuit Ruling

In April 2026, the Fourth Circuit Court of Appeals vacated a lower court’s preliminary injunction that had attempted to block SSA data access, ruling that the plaintiffs hadn’t demonstrated irreparable harm was likely enough to justify the injunction.

The ruling was not a finding that DOGE’s actions were legal — only that the courts wouldn’t halt them on a preliminary basis. The underlying Privacy Act lawsuits continue.

What This Means for You

If you have a Social Security number — which is to say, if you’re American — your data may be in that unauthorized Cloudflare copy.

Unlike a corporate data breach, this isn’t a case of a criminal hacker stealing your information to sell on the dark web. This is the government potentially circulating your most sensitive identifying information through non-governmental channels, to unknown parties, with no tracking of access.

The practical risks:

Identity theft at scale — SSNs, dates of birth, and addresses are the trifecta needed to open fraudulent credit accounts, file false tax returns, or take over existing financial accounts. With 300 million records in one place, this becomes a target unlike any other.

Political profiling — If voter roll data was cross-referenced, the government may be building profiles of Americans that combine their federal benefit history with their voting behavior.

Unknown third-party access — Because there is allegedly no access logging on the unauthorized server copy, there is no way to determine whether the data has already been exfiltrated by external parties.

What You Can Do

You cannot opt out of having a Social Security record. But you can take steps to protect yourself from the downstream consequences of this kind of exposure:

  1. Freeze your credit at all three bureaus (Equifax, Experian, TransUnion) and at ChexSystems. It’s free, and it prevents new accounts from being opened in your name without your explicit action.

  2. Place a fraud alert — this requires creditors to take extra steps to verify your identity before extending credit.

  3. Monitor your Social Security statement at ssa.gov for any earnings reported under your SSN that you didn’t earn — a sign someone is using your number for employment fraud.

  4. File your taxes early — before a fraudster can file a false return claiming your refund.

  5. Watch for IRS notices about duplicate returns or income you didn’t report.

The SSA whistleblower complaint, the 12 lawsuits, and the DOJ’s own acknowledgment of misconduct suggest that whatever happened here was not routine. Whether the full legal and political consequences ever materialize is uncertain. What isn’t uncertain is that your data is now somewhere it was never supposed to be.