The newly establish Department of Government Efficiency (DOGE) has created quite the stir in Washington, causing legal experts to speculate that the organization has violated the Privacy Act as well as various cybersecurity laws. By taking control of the Treasury Department’s central payments database, they argue, DOGE has created an unprecedented risk to personal and financial information. That is because this database contains a record of all federal government spending, including all congressionally approved spending, such as Social Security payments. By opening this system to employees who have not been properly vetted, the personal data of all U.S. citizens is vulnerable to attacks.
The White House claims that DOGE employees only have read-only access to these files; however, independent reporting has verified that non-Treasury actors have been granted administrative access. This has led to major software changes to governmental systems without proper planning, which is contrary to all cybersecurity best practices. As one cybersecurity expert admitted: “there’s probably no way of knowing if these changes make it easier for malware to be introduced into government systems, if sensitive data can be accessed without authorization, or if DOGE’s work is making government systems otherwise more unstable and more vulnerable.” That same expert pointed to the 2013 failed launch of the healthcare.gov website as an example of how new technological systems can struggle to integrate with pre-existing software. On top of it, DOGE has installed its own email servers without proper testing—another major cybersecurity violation.
In response, several unions and federal employees have filed lawsuits stating that DOGE has ignored best practices and increased national security concerns. Two unions, the American Federation of Government Employees and the Service Employees International Union, have argued that DOGE has breached the Privacy Act of 1974 by sharing federal payment information. Additionally, federal employees at the Office of Personnel Management (OMP) have sued over DOGE’s private server because the system was not properly vetted. This is especially important in the case of the OMP whose systems were hacked by Chinese actors in 2015, exposing the personal information of millions of workers.
Unfortunately, it seems that only time will tell as to whether bad actors will gain access to the citizen information DOGE has exposed; the organization is pushing on despite legal objections and public outcry. As the Trump administration continues its Washington D.C. overhaul, we will continue to monitor this story for new developments.