Amid the chaotic attempts at remaking of the U.S. government and policies during the first weeks of the Trump Administration, Elon Musk and his small team’s takeover of computers at the Treasury Department and Office of Personnel Management (OPM) have set off the most alarm bells when it comes to security and data privacy.
Musk, whom President Trump named to head a group – the so-called Department of Government Efficiency, or DOGE, whose mandate is in its name – and his handful of programming engineers were able to gain access into the Treasury systems, which hold massive amounts of personal and sensitive information – Social Security numbers, email and physical addresses, and the like – and are used to issue as much as $6 trillion in government spending for everything from Social Security and Medicare benefits to tax refunds and third-party contractors.
According to reports, Musk – the world’s wealthiest individual and an unpaid Trump adviser – forced out David Lebryk, the Treasury’s acting deputy secretary who refused to give the
young DOGE engineers access to the systems and databases. Eventually
Very few people have access to this government payment system because of its highly sensitive nature, and at least one of those, Treasury's acting Deputy Secretary David Lebryk,
resigned from his post after pushing back against Musk's attempt to access the databases, arguing that very few people had access to them given the sensitive data they held. Eventually, new Treasury Secretary Scott Bessent gave Musk’s group access.
Going Beyond the EO
Trump’s executive order creating DOGE said the group would only have access to unclassified information, but according to a report in WIRED, one of the DOGE group – a 25-year-old engineer – has
direct access to the country’s payment system. Trump has
given his support to what Musk is doing.
Bessent reportedly is telling Congress that
Musk doesn’t have control over the systems and that the DOGE team has “read-only” access.
The incursion into the Treasury systems follows similar efforts at other agencies, such as the Office of Personnel Management (OPM), in which DOGE is said to have installed its own server, connected it to federal networks, and accessed sensitive data.
Security and Privacy at Risk
Such initiatives create huge security and privacy holes, from giving unvetted, non-governmental people access to and control over sensitive data and processes to expanding the attack surface and giving hackers and foreign adversaries accesses to such data and government employees.
“The lack of security and oversight associated with the new email system and data management practices threatens to expose federal workers to personalized social engineering or ‘spear phishing’ attacks to gain access to government systems,” Representatives Gerry Connolly, D-VA, and Shantel Brown (D-OH
), wrote in a letter this week to OPM Acting Director Charles Ezell, adding that a spam attack on the National Oceanographic and Atmospheric Administration (NOAA) appears to be the result of a letter sent to employees of that agency.
“The creation of a governmentwide employee database without a Privacy Impact Assessment, which conveys how personally identifiable information is collected, used, shared, and maintained, would be a dangerous violation of the 2002 E-Government Act and create a one stop shop for adversaries and nefarious actors to steal federal workers’ sensitive data,” Connolly and Brown wrote.
In another letter, Senators Elizabeth Warren, D-MA, and Ron Wyden, D-OR, asked Gene Dodaro, comptroller general of the Government Accountability Office (GAO), to investigate the DOGE’s control of the Treasury systems.
“The process by which Mr. Musk’s team obtained access to these systems is troubling – as are the implications,” Warren and Wyden wrote, noting national security, economic, and privacy concerns, adding that “with access to these critical systems, Mr. Musk or others in the Trump Administration may be able to illegally ‘enact a political agenda’ and ‘unilaterally restrict disbursement of money approved for specific purposes by Congress.’”
Fear of Identity Theft
“This is the kind of information that, if accessed improperly, could lead to
widespread identity fraud and financial crimes,” said James Lee, president of the
Identity Theft Resource Center (ITRC), according to
The Global Treasurer, an information and resources site for finance and cash management professionals.
“Given Musk’s extensive business interests – including in China, where Tesla operates its largest factory – lawmakers fear national security risks related to potential foreign influence,” The Global Treasurer wrote.
Some commented that what Musk and his DOGE crew are doing mirrors in many ways the wrecking-ball methods he took when he bought Twitter in 2022. That’s the vibe that John Bambenek is getting.
“Probably the nearest analogy is when an organization is taken over by an owner who wants to see radical changes,” Bambenek, president of cybersecurity investigation and intelligence consultancy firm
Bambenek Consulting, told MSSP Alert. “The new owner doesn’t care about yesterday’s policies and procedures and existing staff don’t know what to do. The unknown always provides an opportunity for access mistakes to be made.”
While the risk of losing payment information is possible as Musk moves into the Treasury systems, Bambenek said he’s unsure that’s likely to happen. That said, he noted that “the lack of disclosure here, while intentional, also increases the anxiety of employees and vendors because they don’t know how the data will be used.”
Lawsuit Filed
As Congress decides on its next steps and news outlets raise red flags, labor unions are going to the courts. Three unions – the Alliance for Retired Americans, American Federation of Government Employees, and Service Employees International Union –
filed a lawsuit in Federal District Court in Washington DC this week against Bessent and the Treasury for allowing Musk and DOGE to access the personal data of millions of people.
Most of Trump’s many executive orders signed since he took office are being challenged in the courts.
The unions noted that Bessent allowed the access without publicly announcing the move, providing legal justification, or abiding by processes laid out by the law for altering the Treasury’s disclosure policies.
“The scale of the intrusion into individuals’ privacy is massive and unprecedented,” they wrote in the 19-page lawsuit. “Millions of people cannot avoid engaging in financial transactions with the federal government and, therefore, cannot avoid having their sensitive personal and financial information maintained in government records.”
The treasury secretary giving DOGE “full, continuous, and ongoing access” information means that individuals and businesses have no assurances that their data will be protected, they wrote, noting that actions and decisions by Muck and his team “are shrouded in secrecy.” He did so without making a public announcement, providing legal justification, or using the process required by law for changing the agency’s disclosure policies.
They also said people who are legitimately in charge of the information legally can’t be forced to share it with people who aren’t allowed access.
