DOGE’s Ransacking of the Social Security Administration Has Left Us All to Float in a Data Security Vacuum

This article is part of TPM Cafe, TPM’s home for opinion and news analysis.

What would you do if you found out a stranger accessed a federal database then walked away with your Social Security number? What if this person also walked away with your place and date of birth, citizenship status, race, ethnicity, the names of your parents — and all of their information too? You might ask how the stranger got access, why he stole your information and, ultimately, what pernicious plans he may have in store. Above all, you’d be outraged by the prospect of your data being passed around like trading cards.

Unfortunately, we’re past the hypothetical stage. Recent reporting from the Washington Post  detailed a whistleblower’s complaint that a DOGE staffer left the Social Security Administration (SSA) in possession of two highly restricted databases of U.S. citizen information. While the Post has not independently confirmed the accusations in the complaint, they’re being investigated by the SSA’s internal watchdog, and follow other claims of fishy activity by DOGE at SSA. If the claims are true, the sensitive information on 500 million living and dead Americans is at risk of exposure.

Even the federal government’s own analysts rang alarm bells following DOGE’s intrusion into federal agencies last year, warning about the safety of sensitive government data, especially as the unvetted and untrained individuals constituting billionaire Elon Musk’s personal tech army gained access to federal systems, exposing them to unsecure cloud servers and AI chatbots. What’s more frightening is that these new vulnerabilities are developing alongside widespread criminal adoption of AI and crypto tools and weakened enforcement against digital lawbreaking under the Trump administration. So while ordinary Americans are struggling to contend with this heyday of identity theft and financial fraud, the Trump administration is cutting off resources that could help them.

It’s noteworthy that the DOGE staffer who allegedly took the SSA databases reportedly claimed to be sanitizing the data before supposedly using it at his new employer. Government data, locked in restricted databases and protected by federal law, is among the most valuable commodities in the AI industry. The large language models powering AI tools are only as good as the data they train on, and AI companies have been exhausting publicly available data for years. Access to the deep reservoirs of government data on 500 million Americans would represent a tantalizing advantage in the AI arms race. Across the AI industry, trillions have been committed to data center infrastructure while companies burn billions of dollars annually betting on world-changing breakthroughs that have not yet materialized. With that kind of pressure, the value of previously unavailable data becomes obvious. 

Government databases are top targets for cybercriminals since they house vast amounts of information, and a single breach can expose wide swaths of data. The Trump administration’s ongoing efforts to consolidate federal data into a central database, mostly to fuel its authoritarian immigration crackdown, only increases the security risk. Biometrics, fingerprints for a background check or facial scans at airports, are highly valuable because they do not change over your lifetime. So once cybercriminals get a hold of sensitive governmental data, they can use it to more effectively defraud and steal from people. Combine that with AI tools such as FraudGPT, and the scale of possible crime becomes even more alarming.

Trump’s policies via DOGE and his proposed panopticon have made Americans more vulnerable — but the administration’s cuts to enforcement leave Americans with even less protection from cybercriminals or recourse if they fall victim. Budget slashes initiated by DOGE and carried on by Office of Management and Budget director Russell Vought have gutted the government’s cybersecurity infrastructure. Vought’s role empowers him to review and reshape the budget and staffing priorities at every federal agency. However, his governing philosophy treats the federal bureaucracy as an obstacle in need of demolition. In the White House’s 2025 budget request, Vought explicitly recommended cuts to the country’s primary cyber defense agency, Cybersecurity and Infrastructure Security Agency (CISA), calling its programs “weaponized” government overreach. CISA, now being led by its third acting director in just one year, lost a third of its staff through a combination of firings and early retirements, and still has no Senate-confirmed leadership. Without a permanent head, experts say CISA will struggle with long-term planning and making changes necessary to address the intensifying threat landscape. 

The FBI has also seen its cybersecurity capacity diminished. Democratic Senators questioned FBI Director Kash Patel about cuts to the bureau’s cyber division amid his decision to reassign 45% of all agents in the 25 largest field offices to work on immigration, pulling resources away from cybersecurity and white-collar crime. 

Cybercrime is already at historic highs. The FBI’s Internet Crime Report reveals that cybercriminals stole $16.6 billion in 2024, a 33% increase over the previous year. Phishing — using emails, text, and phone calls to request sensitive personal information — was the number one technique used by criminals, and is easily supercharged by AI.

To get an expert view on the relationship between AI and cybercrime risk – not on DOGE or any specific government program, but on the broader threat landscape – I spoke with James E. Lee, president of the Identity Theft Resource Center. Lee warned that AI has already transformed the scale and speed of cybercrime since “AI makes any information in the hands of a professional cybercriminal more likely to be misused at a faster pace and on a broader scale.” 

To make matters worse, “AI allows cybercriminals to automate application processes using real and synthetic identities to open new accounts; with stolen logins and passwords, they can automate attacks on existing accounts; and they can write new tools and malware in a matter of hours that used to take weeks or months to launch,” Lee added. The next evolution, he cautions, will be AI-driven attacks that adapt to defenses without human intervention: automated social engineering at exponential scale, running 24/7.

Cybercriminals have another tool in their arsenal as well: Cryptocurrency. Scams utilizing sensitive government data are simpler when cybercriminals can coerce victims into paying out with crypto, transactions that are typically fast, irreversible, and lacking usual banking protections. In fact, consumers lost over $9 billion to crypto fraud in 2024, a 66% increase over 2023, and the blockchain analytics firm Chainalysis estimates 2025 losses will exceed $17 billion once all data is collected. The anonymous and near-untraceable nature of crypto makes it an excellent financial incentive for illicit activity. Indeed, extortion was the most cited crime type. 

None of this is inevitable. Big Tech companies flexed their muscles, ingratiating themselves to Trump, donating millions to the president’s inaugural fund and making him party to their most ambitious projects. An army of lobbyists marched on Washington to convince the administration of Big Tech’s desired policies. OpenAI’s own documentation acknowledges its voice generation tools can facilitate fraud, yet lobbyists spent last year fighting against the regulations requiring accountability for that very risk. Though polling shows a majority of Americans want to strengthen data security and stronger rules for AI, Trump signed an executive order placing a moratorium on AI regulation and directing the DOJ to challenge state laws, including those that protect against AI-powered spam calls, deepfake impersonation scams, and financial fraud. 

However, officials concerned about the threat to Americans’ data security could still act. Senators and members of the House, particularly those sitting on the Commerce, Banking, and Oversight committees, must hold hearings and create a public record about which corporations and individuals are making enormous sums of money lobbying against safeguards protecting financial security. State attorneys general and plaintiff-side law firms can pursue the same strategy used against opioid manufacturers: filing class action lawsuits, showing that these entities knew the harms, and they profited while Americans paid the price. 

Mechanisms for recourse already exist. The Federal Trade Commission is the federal government’s primary civilian authority on identity theft and data security. It runs the Consumer Sentinel Network for reporting and enforcing identity theft crimes, and has the power to set binding data security standards across entire industries. It has largely chosen not to use that power. Trump’s FTC Chairman Andrew Ferguson abandoned three years of commercial surveillance and data security rulemaking efforts while redirecting resources towards an investigation into whether platforms had been unfair to Donald Trump. That is a choice, and it can be reversed. 

Future administrations interested in protecting Americans from cybercrime will need to make different choices. That is only likely to happen if leaders begin to pursue not only accountability, but education: victims of cybercrimes and identity theft must know that figures like Trump, Musk, and Vought are likely at least partially responsible for their pain. 

We still don’t know what the DOGE staffer intended to do with 500 million Americans’ Social Security records, or who they’ve been shared with, or what’s been done with other data DOGE removed from agency databases. What we do know is that this information may have entered a world ready to exploit it.