“Commissioner [Frank] Bisignano and the Social Security Administration take all whistleblower complaints seriously,” the agency said. “SSA stores all personal data in secure environments that have robust safeguards in place to protect vital information. The data referenced in the complaint is stored in a long-standing environment used by SSA and walled off from the Internet. High-level career SSA officials have administrative access to this system with oversight by SSA’s Information Security team. We are not aware of any compromise to this environment and remain dedicated to protecting sensitive personal data.”
The Government Accountability Project letter quoted a July 15 email in which Moghaddassi allegedly authorized the NUMIDENT cloud project. “I have determined the business need is higher than the security risk associated with this implementation and I accept all risks associated with this implementation and operation,” Moghaddassi was quoted as saying.
Borges alleges that the authorization was an “abuse of authority” and “gross mismanagement,” and that the creation of the cloud environment potentially violated multiple federal laws. “By knowingly placing a High-Value Asset containing data on over 450 million people in an uncontrolled environment, the requestors, apparently Moghaddassi and possibly others, violated statutory duties under FISMA [Federal Information Security Modernization Act],” the letter said.
Moghaddassi previously worked for Elon Musk-led companies Neuralink and X, and worked for DOGE at the Department of Labor, the letter said. He became the CIO of the SSA in June.
The Government Accountability Project letter also argues that the SSA may have violated the Computer Fraud and Abuse Act “by facilitating unauthorized access to protected computer systems. Further, Moghaddassi’s self-authorization of risk acceptance potentially violated 44 U.S.C. § 3554(b), FISMA’s requirements for continuous monitoring and risk management, by formally accepting risks that exceeded federal guidelines for protecting sensitive government information.”
Borges, a Navy veteran, has worked for several federal agencies and became the CDO of the SSA in January of this year. As CDO, “Borges is responsible for the safety, integrity, and security of the public’s data at SSA,” and his “position requires full visibility into data access, data exchange, and cloud-based environments used for SSA production systems,” the letter said.