From its inception, Elon Musk’s so-called Department of Government Efficiency (DOGE) operated as a rogue entity within the US government, slashing staff and funding, gaining access to government systems, and overriding agency decisionmaking—all without oversight from officials who have little understanding of its reach and methods.
A new report issued by the Senate Committee on Homeland Security and Governmental Affairs (HSGAC) on Thursday adds new insight on how this incursion happened, while raising grave concerns about the possibility of a catastrophic data breach that would affect all Americans and serious questions about who DOGE operatives answer to.
Oversight staff detail how DOGE gained control over federal agencies, focusing their probe on three of DOGE’s primary targets: the General Services Administration (GSA), the Office of Personnel Management (OPM), and the Social Security Administration (SSA).
“A clear pattern emerged across agencies—officials who questioned DOGE were pushed out, and DOGE-affiliated personnel were installed in key positions such as Chief Information Officer,” the report finds. “The DOGE associates were then able to grant approval to other DOGE employees to work with sensitive data without restrictions.”
Throughout the report, committee investigators describe DOGE representatives as working clandestinely within the agencies they were sent to serve and in spaces kept under armed guard, seemingly not beholden to government officials.
“At one point, GSA officials said they did not have the key to open a locked room that had windows covered with black paper, trash bags, and tape,” the report says, describing HSGAC staffers’ attempts to inspect the agency’s offices. “When staff asked why the most senior officials in offices charged with building management and security could not open an office door, GSA could not provide an answer.”
According to the report, investigators were forbidden from taking photos of where DOGE worked at GSA, which they noted appeared to be the group’s “primary technical hub.” It was also clearly a living space: GSA officials told Senate staffers they’d purchased furniture to outfit seven bedrooms for “intermittent sleeping;” there was even a “makeshift bedroom” next to the administrator’s suite, which one official was surprised to find. The GSA administrator’s dining room had unmade beds and a hot plate, while an office labeled “chief of staff” had a Ping Pong table and a nearby kitchen had “a dedicated fridge stocked with Celsius energy drinks and Muscle Milk.”
The administrator’s office was filled with 10 work stations, stacks of laptops (8 to 10 per person), and “multiple cellphones.” The GSA officials could not confirm that the devices were provided by GSA or who the DOGE reps working there reported to, simply calling them “GSA employees.” DOGE associates at the SSA were also allowed to telework, even as all other staffers were called back to the office. Many DOGE members were detailed to several agencies simultaneously, in a move that several experts have noted is unprecedented.
“Senior officials at SSA, GSA, and OPM all failed to provide information about who was in charge; what conduct DOGE teams were engaged in; and what data those teams had been given access to, including the authorities and restrictions guiding their access,” the report says. “None of the agencies could answer simple questions about organizational charts and employee roles.”
In response to a request for comment, an OPM spokesperson who did not give their name denied that OPM had any “‘DOGE’ employees” and said, “This is absurd. OPM was clear the acting director, chosen by President Trump, oversaw OPM’s activities. There were no DOGE teams.”
Who was—and is—in charge of all this is unclear to the investigators. Under the terms of the executive order establishing DOGE, that should be Amy Gleason, the administrator of the US DOGE Service. “However,” the report says, “whistleblowers told staff that Ms. Gleason is just a figurehead with no real power over DOGE staff at agencies and that most DOGE staff actually function outside of the US DOGE Service.” (Gleason did not immediately respond to a request for comment.)
DOGE affiliates in the SSA had access to personal data belonging to all Americans, the report claims, citing interviews with whistleblowers from the agency—including Social Security numbers, birthplace, date of birth, and work permit status, and placed the information in an unsecured cloud environment established by DOGE. Earlier this year, SSA chief data officer Chuck Borges filed a whistleblower complaint accusing the agency of mishandling data and creating an unsecure server to hold it. DOGE operatives could edit and delete data in this system and potentially share it with private entities or foreign actors, the report finds. It’s unclear if data was manipulated or shared outside of government.
The committee notes that it’s “very likely” that US adversarial nations, including Russia, China, and Iran are aware of the cloud system DOGE set up at SSA.
One whistleblower who spoke to committee investigators alleged that data from SSA’s NUMIDENT database showed up in Department of Homeland Security “in an unusual format, suggesting that the data was not shared via a normal interagency data sharing agreement.” In April, WIRED reported that DOGE had uploaded SSA data to a DHS data lake that could be used to track and surveil migrants.
Prior to establishing the cloud environment, SSA conducted a risk assessment that found the possibility of a data breach with “catastrophic adverse effect” was between 35 and 65 percent, the committee’s report says.
“In a worst-case scenario, one whistleblower noted the possibility that the agency may need to re-issue SSNs to all who possess one,” the report says.
“It is unclear why such a high-risk project is needed, or why DOGE personnel require the use of live data free from the supervision of agency officials,” the report says. “One whistleblower told staff that the purpose of the database might be to provide free SSN verification for other federal agencies, but circumventing basic safeguards suggests that project may have other purposes.”
In response to questions, an unnamed SSA spokesperson referred WIRED to a September 16 letter from Commissioner Frank Bisignano to Senator Michael Crapo, and says, “based on the agency’s thorough review, the Numident data and database–stored in a longstanding secure environment used by SSA–have not been accessed, leaked, hacked, or shared in any unauthorized fashion.” The spokesperson also asserted that “there are no DOGE employees at SSA, only SSA employees.”
“DOGE isn’t making government more efficient—it’s putting Americans’ sensitive information in the hands of completely unqualified and untrustworthy individuals,” said Gary Peters, a Democratic US senator from Michigan and ranking member of HSGAC, in a statement on Thursday. “They are bypassing cybersecurity protections, evading oversight, and putting Americans’ personal data at risk. We cannot allow this shadow operation to continue operating unchecked while millions of people face the threat of identity theft, economic disruption, and permanent harm. The Trump Administration and agency leadership must immediately put a stop to these reckless actions that risk causing unprecedented chaos in Americans’ daily lives.”
When visiting the GSA offices, committee investigators saw “cloud infrastructure and enterprise network infrastructure diagrams” drawn on a whiteboard, but GSA officials blocked their view “with their bodies,” the report says.
The report also claims that GSA officials “refused to show staff Starlink infrastructure,” telling them to schedule a follow-up visit and then denying the request to do so. The GSA installed terminals from Starlink, the satellite company Musk owns, about a month after inauguration. At the time, GSA staff warned that this posed a significant security risk and voiced concern that the terminals could allow DOGE to siphon data out of the agency. According to the report, GSA officials “could not even confirm that the Starlink terminal was configured with basic security settings recommended by Starlink itself,” making staffers “concerned that any data sent or received over the Starlink device at GSA and other locations could be an easy target for foreign adversaries.”
Starlink terminals have also been installed at the White House.
This was not the only apparent effort to circumvent government policies and protections around data. One former OPM employee alleged in an interview with investigators that “even before the inauguration, the incoming administration expressed a ‘strong interest’ in government-wide email servers and centralizing communications.” According to the employee, Greg Hogan, the incoming CIO, “had asked OPM staff whether they could deploy an AI system in an off-cloud environment, an environment that would allow for less agency oversight and fewer safeguards.” (The anonymous OPM spokesperson declined to comment on anything that happened before the inauguration. “The CIO asked many technical questions as part of his role,” they said in response to a question about Hogan. “All his work at OPM complied with the agency’s security and regulatory requirements.”)
At the SSA, investigators found that access to the areas DOGE worked out of were controlled by armed guards. It was a measure taken, according to Dan Callahan, assistant commissioner for building and facilities management, because the DOGE members were “concerned for their safety.” Upon further inquiry, investigators found that this concern stemmed from “communication with an SSA employee that ‘included cursing.’”
At the GSA, “armed guards controlled access to work and living spaces [and] rooms were locked,” the report says, while the investigators’ visit to OPM was carried out under armed guard. (“The ‘armed guards’ were the normal security teams that provide security for the OPM office,” said the anonymous OPM spokesperson, citing purported “misbehavior” by the investigators as they visited other agencies. “They accompanied the visit when entering secure areas with sensitive information.”)
As a result of the investigation, the report calls on the Trump administration to end all DOGE activities, revoke all access its representatives maintain over personally identifiable information, and require agencies to provide evidence that the access is compliant with existing privacy regulations. The investigators also demand that SSA shut down the cloud environment to which DOGE uploaded NUMIDENT data.
The White House, GSA, and SSA did not immediately respond to requests for comment from WIRED.
