Federal Employee Data Privacy: What DOGE Means for Your Records
DOGE accessed OPM, SSA, Treasury, and IRS systems holding your PII. Here's what was accessed, what your Privacy Act rights are, and 12 steps to protect yourself now.
Federal Employee Data Privacy: What DOGE Means for Your Records
Last Updated: March 14, 2026 Reading Time: 12 min
On March 10, 2026, the Washington Post reported that a former DOGE software engineer told co-workers he possessed two of the most sensitive databases in the federal government — the SSA NUMIDENT and the Death Master File — and had brought them to his new employer on a thumb drive. Together, those databases contain records on more than 500 million Americans, living and deceased.
The engineer, John Solly, moved from DOGE to become CTO at Leidos — a defense contractor that holds a multi-billion-dollar contract with SSA to manage the very IT infrastructure he allegedly accessed. Solly and Leidos both deny the allegations. The SSA Inspector General confirmed an active investigation is underway.
This came eight months after a separate whistleblower — then SSA Chief Data Officer Charles Borges — alleged that DOGE had copied the NUMIDENT to an unaudited private cloud server with no independent security controls. Borges resigned three days after filing that complaint.
For federal employees, these incidents are part of a broader pattern. DOGE began accessing OPM personnel systems in February 2025. By late March 2025, access extended to Treasury payroll systems affecting 276,000 employees across DOJ, Treasury, and DHS. IRS taxpayer data including bank account information of every filer who received an electronic refund was also accessed.
This guide explains what happened, what data is actually at risk, what your legal rights are, and exactly what to do about it.
Key Takeaways
- DOGE accessed OPM, Treasury, FPPS, SSA, and IRS systems containing federal employee PII starting February 2025. Your personnel records almost certainly passed through affected systems.
- A March 2026 whistleblower complaint alleges a former DOGE engineer copied 500 million records — the NUMIDENT and Death Master File — to a thumb drive. Both the engineer and Leidos deny it. An SSA Inspector General investigation is active.
- If you have 2015 OPM breach IDX coverage, it expires by September 30, 2026. Check your expiration date now.
- A credit freeze at all three bureaus is free, takes about 15 minutes, and does not affect your credit score. It is the most effective step you can take today.
- Courts found Privacy Act violations but access continued due to standing requirements and appellate reversals. Act on the assumption your data was accessed.
- You have concrete rights under the Privacy Act (5 U.S.C. 552a): access your records, file complaints, and request amendment of inaccurate data.
What Happened: Timeline of DOGE Data Access
The access was not a hack in the traditional sense — no system was broken into by an outside attacker. Instead, DOGE personnel were granted access credentials to federal systems, often over the objections of career IT and security staff.
| Date | Event |
|---|---|
| February 1-6, 2025 | DOGE personnel gain access to OPM databases containing PII of millions of current and former federal employees and job applicants |
| February 2025 | DOGE presses IRS to share taxpayer return information; accesses Treasury Bureau of Fiscal Service database including bank account info of tax refund recipients |
| March 2025 | Federal judge (SDNY) finds agencies "likely violated" the Privacy Act; issues preliminary injunction |
| Late March 2025 | DOGE gains access to FPPS affecting approximately 276,000 federal employees across DOJ, Treasury, and DHS — after two weeks of resistance from senior IT staff |
| June 6, 2025 | Judge Denise Cote (SDNY) rules OPM "violated the law and bypassed its established cybersecurity practices"; orders DOGE agents removed from OPM systems |
| June 6, 2025 | Supreme Court restores DOGE access to SSA data pending further proceedings |
| August 2025 | Fourth Circuit lifts lower court injunction (2-1 decision); plaintiffs found likely to lack standing |
| August 26, 2025 | SSA Chief Data Officer Charles Borges files whistleblower complaint: DOGE copied NUMIDENT to unaudited private cloud server with no independent security controls |
| August 29, 2025 | Borges resigns three days after filing the complaint |
| January 2026 | SSA discloses that DOGE employees "secretly and improperly shared sensitive personal data in 2025" and cannot verify the extent of violations |
| March 6, 2026 | SSA Inspector General notifies congressional committees it is reviewing a whistleblower complaint about potential data misuse by a former DOGE employee |
| March 10, 2026 | Washington Post and Wired report that whistleblower alleges John Solly copied NUMIDENT and Death Master File to a thumb drive; Solly now CTO at Leidos |
| March 14, 2026 | SSA OIG investigation active; Solly and Leidos deny all allegations |
A critical point: federal judges found Privacy Act violations, and one ordered DOGE removed from OPM systems. But access continued because appellate courts lifted injunctions on standing grounds, and the Supreme Court restored SSA access pending further review. "Courts found violations" does not mean the access stopped.
Which Systems Store Your Data
Not all federal employee data sits in one place. Here is a map of the systems that hold your PII and their reported DOGE access status.
| System | Operator | Data Contained | DOGE Accessed? |
|---|---|---|---|
| eOPF (Electronic Official Personnel Folder) | NFC/OPM | Full employment history, personnel actions, performance ratings, SF-50s | Yes (OPM systems broadly, Feb 2025) |
| FPPS (Federal Personnel and Payroll System) | Dept. of Interior/IBC | Name, SSN, pay grade, payroll, deductions, health/life insurance enrollment | Yes (late March 2025) |
| GRB Platform (Government Retirement & Benefits) | DOI | Name, DOB, home address, SSN, health/life enrollment, retirement contributions, leave, tax withholding | Accessed via FPPS/OPM integration |
| USA Staffing | OPM | Job applicant PII, resumes, background check initiation data | Yes (OPM systems broadly) |
| NFC (National Finance Center) | USDA | Payroll processing, salary, direct deposit information | Linked to FPPS access |
| e-QIP / NBIS | DCSA | SF-86 background investigation data — employment history, foreign contacts, finances, mental health disclosures | Not directly reported; 2015 breach compromised this |
| SSA NUMIDENT | SSA | SSN, DOB, place of birth, citizenship, ethnicity, parents' names, phone, address — for every SSN holder | Yes (two whistleblower incidents, 2025-2026) |
| IRS / Treasury | Treasury Bureau of Fiscal Service | Bank account info for all filers with electronic refunds, tax return data | Yes (early 2025) |
If you held a security clearance, your SF-86 data is managed by DCSA (formerly NBIB), not OPM's general HR systems. No reports have confirmed direct DOGE access to e-QIP/NBIS — but the 2015 OPM breach already compromised SF-86 data for 19.7 million people, and that protection contract expires this year (more on that below).
The Two SSA Incidents: What the Whistleblowers Alleged
Incident 1: The Vulnerable Cloud Server (August 2025)
Charles Borges, then SSA's Chief Data Officer, filed a whistleblower disclosure on August 26, 2025. He alleged that DOGE-affiliated officials copied the NUMIDENT database into a self-administered cloud environment with no independent security controls and no verified audit or oversight mechanisms. SSA officials, per his disclosure, could not verify what access controls existed or who could reach the data. The NUMIDENT contains records for approximately 300 million living Americans.
SSA denied wrongdoing. Borges resigned three days after filing the complaint.
Incident 2: The Thumb Drive (March 2026)
A new whistleblower complaint, reported by the Washington Post on March 10, 2026, alleged that former DOGE software engineer John Solly told co-workers at his new job that he "possessed two tightly restricted databases of U.S. citizens' information" and was planning to use that data at his new company. The two databases alleged: the NUMIDENT and the Death Master File — together covering more than 500 million records.
Solly's new employer was Leidos, a defense contractor that holds a multi-billion-dollar contract with SSA to manage its IT infrastructure — the systems he allegedly accessed at DOGE.
Solly and Leidos both deny the allegations. The SSA Inspector General confirmed an active investigation. The House Oversight Committee expanded its DOGE data investigation following the disclosure.
The distinction matters: what is alleged (the thumb drive) versus what is confirmed (DOGE accessed OPM, Treasury, SSA, and FPPS systems). Treat the thumb drive allegations as unverified but the broader system access as confirmed.
What Protections Exist: The Privacy Act
The Privacy Act of 1974 (5 U.S.C. 552a) is the primary legal protection for federal employee records. It gives you five core rights:
- Right to access your own records in any agency system of records
- Right to know if those records have been disclosed and to whom
- Right to amend inaccurate, irrelevant, untimely, or incomplete records
- No disclosure without consent — agencies cannot share your records without your written consent, subject to 12 enumerated exceptions
- Right to sue in federal district court for unlawful disclosures (5 U.S.C. 552a(g))
Where the Law Ran Into Limits
The Privacy Act has 12 exceptions, including law enforcement, archival research, and "routine uses" — a category courts have interpreted broadly. The administration characterized DOGE access as a "routine use" for government operations. Courts are still litigating whether that interpretation is valid.
More practically: the standing problem. In August 2025, the Fourth Circuit lifted the main OPM injunction because plaintiffs likely could not prove concrete, particularized harm from the data access itself. This is a significant hurdle for individual suits. A court can find that an agency "violated the law" and still deny relief if plaintiffs cannot demonstrate specific injury.
The practical takeaway: administrative Privacy Act complaints through your agency's privacy office are your most accessible route. They are viable, they create a record, and they do not require you to prove standing the way a federal lawsuit does.
Your Protection Checklist
Immediate Steps (Do Now)
These steps take 15-30 minutes total and cost nothing.
- Place a credit freeze at all three bureaus. Equifax (equifax.com), Experian (experian.com), TransUnion (transunion.com). A credit freeze is free under federal law and does not affect your credit score. It prevents anyone from opening new credit in your name. You can temporarily lift it when you apply for credit.
- Place a fraud alert. Place at one bureau — it automatically notifies the other two. An initial fraud alert lasts one year. An extended fraud alert lasts seven years and requires creditors to verify your identity before extending credit.
- Create or verify your my Social Security account. Go to ssa.gov/myaccount. This locks your SSA record to your own login and prevents someone else from creating an account on your SSN to redirect benefit payments.
- Set up an IRS Identity Protection PIN. Go to irs.gov/identity-theft-central. This six-digit PIN must appear on any tax return filed with your SSN. Without it, the IRS rejects the return — which stops fraudulent filing in your name.
- Check your IDX coverage if you were in the 2015 OPM breach. Log in to your IDX account or check for notification emails from IDX or nrc.idprotectionservices.com. Coverage expires by September 30, 2026 — more on this below.
Medium-Term Steps (This Month)
- Request access to your eOPF. Contact your agency HR office to review all documents in your electronic personnel folder. Flag any document you do not recognize, and report discrepancies to your agency's human capital office immediately.
- File a Privacy Act access request. You can formally request a copy of all records your agency maintains on you. Agencies must acknowledge your request within 10 days and generally respond within 30 days. This creates a baseline record of what exists and may reveal unexpected disclosures.
- Review your credit reports. AnnualCreditReport.com provides free weekly reports from all three bureaus (a permanent policy change since the pandemic). Review for accounts, inquiries, or addresses you do not recognize.
- Report identity theft if it occurs. IdentityTheft.gov (FTC) provides a personalized, step-by-step recovery plan tied to your specific situation.
If You Held a Security Clearance
The 2015 OPM breach compromised SF-86 background investigation data for 19.7 million people. The SF-86 is the most sensitive document in any federal employee's profile. It contains full employment and residential history (10 years), names of family members and references, foreign contacts and travel, mental health treatment history, financial history, criminal history, biometric fingerprints, and investigator interview notes.
If your clearance investigation predates 2015, assume this data is in the hands of a foreign adversary (the breach was attributed to Chinese intelligence). The risk is not credit fraud — it is social engineering and targeting. Be especially cautious of unsolicited contact from people who seem to know unusual personal details about you. Report any contact you believe may be related to the 2015 breach to your agency security officer and the FBI.
If You Witness Data Misuse (Whistleblower Steps)
- Document what you observed: dates, systems, individuals, specific actions
- Report to your agency Inspector General — your identity is protected by law
- Alternatively, report to the Office of Special Counsel at osc.gov — OSC does not share your identity without your consent
- If you believe there is imminent danger to public health or safety, you may report to Members of Congress with appropriate clearance
The 2015 OPM Breach: Why 2026 Is the Deadline
The 2015 OPM breach compromised 21.5 million records — the largest theft of personnel data in U.S. government history, attributed to Chinese intelligence. The government contracted with IDX to provide 10 years of free identity theft protection to affected individuals.
That contract expires September 30, 2026.
Key facts for those with coverage:
- IDX has begun notifying recipients that services will end on the 10-year anniversary of their enrollment date
- People who enrolled after the initial 2015 notification (on a rolling basis) will have memberships expire on their personal 10-year anniversary
- Legislation to extend coverage for life (the Norton/Ruppersberger bill) has not passed Congress
- OPM has not announced any extension
What to do if you have IDX coverage: Check your enrollment email or log in at nrc.idprotectionservices.com to confirm your expiration date. Before coverage lapses, set up the free alternatives above (credit freezes, ssa.gov account, IRS IP PIN) and enroll in a commercial credit monitoring service if you want ongoing alerts.
Whistleblower Protections
Two people who raised alarms about DOGE data practices faced significant professional consequences: Charles Borges resigned after filing his SSA whistleblower complaint, and the broader pattern of DOGE-era data incidents has led some career officials to quietly transfer rather than formally object.
If you witness data misuse at your agency and are considering reporting, here is what the law provides:
The Whistleblower Protection Act (5 U.S.C. 2302(b)(8)) prohibits agencies from taking personnel actions — removal, suspension, demotion, pay cut, transfer — against an employee who discloses information they reasonably believe shows a violation of law or regulation, gross mismanagement, gross waste, abuse of authority, or a substantial and specific danger to public health or safety.
Where to report:
- Agency Inspector General — IGs are prohibited by law from disclosing your identity without your consent. OIGs have independence from agency leadership and report to both the agency head and Congress.
- Office of Special Counsel (OSC) — osc.gov. OSC investigates prohibited personnel practices. Your identity is kept confidential. OSC can seek corrective action and disciplinary action against officials who retaliate.
- Congress — Members and staff with appropriate clearances can receive disclosures about classified matters.
Document everything before reporting: dates, systems involved, what you observed, who was present, and any instructions you received. A documented record is your strongest protection.
Protect Your Benefits and Career: Related Resources
While data protection is the immediate concern, DOGE-era workforce reductions are also affecting employment stability. If you are evaluating your options in the current environment, the RIF Survival Guide 2026 covers retention rights, bump and retreat rights, and how to respond if your position is targeted for elimination.
For broader workforce context, see Federal Workforce Outlook 2026, which tracks DOGE actions, RIF moratorium status, and agency-level reduction timelines.
If you are concerned about at-will conversion under Schedule F, the Schedule F Guide 2026 covers due process rights and how career appointment protections apply.
For MSPB appeal rights and whistleblower protection procedures, see MSPB Ruling: Tenured Federal Employees 2026.
Frequently Asked Questions
Was my data accessed by DOGE?
If you are or were a federal employee, your personnel records — pay, performance, HR actions — likely passed through OPM, Treasury, or FPPS systems that DOGE accessed starting February 2025. If you held a security clearance, your SF-86 data is in DCSA systems (NBIS), which have not been publicly confirmed as accessed. And if you have a Social Security number, your NUMIDENT record was potentially compromised per the August 2025 and March 2026 whistleblower allegations. There was no formal breach notification in the traditional sense — no one received a letter saying "your data was accessed." That does not mean it was not accessed.
What is the NUMIDENT database and why does it matter?
NUMIDENT is the SSA's master identity file. It contains Social Security number application records for every person who has ever applied for a Social Security card — roughly 300 million living Americans plus records for the deceased. It includes your SSN, full name, date and place of birth, citizenship status, race and ethnicity, parents' names, phone number, and address. Combined with the Death Master File, the two databases alleged to have been copied cover more than 500 million records. This is not a partial breach of a subset of records — these databases cover essentially every American.
Do I still have free identity theft protection from the 2015 OPM breach?
If you were notified you were affected by the 2015 OPM breach and enrolled with IDX, your coverage expires September 30, 2026 — or on the 10-year anniversary of your enrollment date if you enrolled after the initial 2015 notification. IDX has been sending expiration notices. Check your email for messages from IDX or nrc.idprotectionservices.com, and set up free alternatives (credit freezes, ssa.gov account, IRS IP PIN) before your coverage lapses.
What should I do right now to protect myself?
The five most effective immediate steps: (1) Place a credit freeze at all three bureaus — Equifax, Experian, TransUnion. It is free and does not affect your credit score. (2) Place a fraud alert at one bureau. (3) Create or verify your my Social Security account at ssa.gov to lock your record. (4) Enable an IRS Identity Protection PIN at irs.gov/identity-theft-central. (5) Check your eOPF through your agency HR portal for unexpected documents. See the full checklist above.
Can I file a Privacy Act complaint about how DOGE accessed my records?
Yes. Every agency has a privacy office that accepts Privacy Act complaints. You can also request a copy of your own records under the Privacy Act. Courts remain divided on whether individual suits are viable — the standing requirement is a significant hurdle — but administrative complaints through your agency's privacy office are accessible, viable, and create a documented record.
What whistleblower protections exist for federal employees who report data misuse?
The Whistleblower Protection Act covers federal employees who disclose information they reasonably believe shows a violation of law or regulation, gross mismanagement, gross waste, abuse of authority, or substantial danger to public health or safety. Report to your agency Inspector General (identity protected by law) or to the Office of Special Counsel at osc.gov (OSC keeps your identity confidential). Retaliation against a whistleblower is itself a prohibited personnel practice under 5 U.S.C. 2302(b)(8).
What happened to the court cases challenging DOGE data access?
Courts initially sided with plaintiffs: a federal judge found OPM "violated the law and bypassed cybersecurity practices" (June 2025), and earlier courts issued preliminary injunctions. However, the Fourth Circuit lifted the main injunction in August 2025, finding plaintiffs likely lacked standing because they could not prove concrete harm. The Supreme Court also restored DOGE's SSA access pending further review in June 2025. Courts found likely violations but access continued. The lesson for individual employees: administrative and personal protective steps are your most reliable tools, not waiting for litigation outcomes.
Is using ChatGPT or other AI tools with government data a security risk?
Yes, for public consumer versions. In mid-2025, the acting CISA director reportedly uploaded government documents marked "for official use only" to public ChatGPT. Federal employees should not enter government data, PII, or FOUO materials into consumer AI tools — data entered into those tools can be incorporated into model training. If your agency uses a government-hosted AI product deployed in an agency-controlled cloud environment, that is a separate category — check with your agency IT security office for approved tools.
What did the DOGE SSA telework access situation reveal?
Congressional investigators found that DOGE staff at SSA had approved telework agreements — the only individuals in the CIO's office with such arrangements. SSA officials could not explain who approved those agreements or why. Court filings revealed that DOGE staff used the telework structure to access SSA systems remotely without standard IT oversight. This matters because it illustrates how access was granted through administrative mechanisms rather than technical intrusions — making traditional breach detection less effective.
Related Resources
- RIF Survival Guide 2026 — retention rights, bump and retreat, what to do if your position is targeted
- Federal Workforce Outlook 2026 — DOGE actions, RIF timelines, agency-level tracking
- Schedule F Federal Employees Guide 2026 — at-will conversion, career appointment protections, due process rights
- MSPB Ruling: Tenured Federal Employees 2026 — MSPB appeal rights, whistleblower protections, due process
Disclaimer: This guide is for informational purposes only and does not constitute legal advice. Privacy Act rights, whistleblower protections, and identity theft remedies involve legal and factual complexities specific to each individual's situation. Consult qualified legal counsel — including agency ethics officials, union representatives, or a private attorney — for advice on your specific circumstances. Allegations regarding John Solly and the thumb drive are from whistleblower complaints and are subject to ongoing SSA Inspector General investigation. Solly and Leidos deny the allegations.
Sources: Washington Post, FedScoop, NPR, Wired/New Republic, Federal News Network, DOJ OPCL — Privacy Act Overview, FTC — Credit Freezes and Fraud Alerts, OPM Whistleblower Rights and Protections