The head of the Social Security Administration (SSA) has formally denied whistleblower allegations that the agency mishandled the sensitive personal data of millions of Americans. In a letter to the Senate Finance Committee, Commissioner Frank Bisignano stated that a review found no evidence of unauthorized access to or sharing of crucial citizen information.
Key Takeaways
- SSA Commissioner Frank Bisignano has refuted claims of data mismanagement made by a former agency official.
- The allegations involved the Numident database, which holds sensitive personal information for Social Security applicants.
- An internal SSA review concluded that the data was not compromised, leaked, or improperly accessed.
- The controversy stems from a complaint filed by the SSA's former chief data officer in August.
Senate Inquiry Prompts Official Response
The issue gained prominence after Senate Finance Committee Chair Mike Crapo sent a letter on September 10, 2025, demanding clarification from the SSA. The inquiry was a direct response to a complaint filed by a former executive.
The complaint alleged that the agency had created a copy of the nation's Social Security information in a cloud environment that lacked proper oversight and security controls. This raised significant concerns among lawmakers about the safety of citizens' private data.
Background of the Allegations
The whistleblower complaint was filed in August by Charles Borges, the former chief data officer for the SSA, in partnership with the Government Accountability Project. Borges claimed that the agency's Chief Information Officer, Aram Moghaddassi, and the Department of Government Efficiency (DOGE) violated internal policies. The complaint accused them of creating a live copy of the data in a cloud environment that was vulnerable due to poor access controls and data management practices. Borges also stated that his concerns were ignored, leading to his resignation.
Commissioner Asserts Data Is Secure
In his formal response on Tuesday, Commissioner Bisignano addressed the committee's concerns directly. He emphasized his commitment to data security, writing, "I have been protecting personally identifiable information (PII) my entire career, and it has been and will continue to be my highest priority here at SSA."
Bisignano reported that the SSA conducted an immediate review of the claims in August. This review included interviews with Borges and involved senior security and legal personnel.
"Based on the agency's review, Numident data had not been 'accessed, leaked, hacked, or shared in any unauthorized fashion' as the whistleblower complaint said," Bisignano stated in the letter.
Details of the SSA's Security Measures
The Commissioner provided specific details to counter the allegations. He explained that the data in question was not located in an unsecured cloud environment. Instead, it resides on a secured server that is under continuous, 24/7 monitoring.
According to Bisignano, the agency's acting chief information security officer confirmed the security of the server. He also noted that the SSA began utilizing secure cloud systems for data storage as early as 2015 and has always followed strict federal security protocols and risk assessments to protect personal information.
What is the Numident Database?
The Numident is a critical SSA database containing a comprehensive record of all Social Security number applications. It includes highly sensitive personally identifiable information (PII) such as:
- Full names of applicants
- Dates and places of birth
- Citizenship status
- Parents' names
- Social Security numbers, phone numbers, and addresses
Employee Access and Data Handling Protocols
A key part of the whistleblower complaint focused on inadequate access controls. Commissioner Bisignano's letter detailed the agency's strict procedures for employee access to sensitive information.
He stated that all SSA staff undergo vetting processes. Furthermore, permissions to access data are directly tied to an individual's specific job duties. Any request to handle sensitive data requires multiple levels of approval before access is granted. This multi-layered approach is designed to prevent unauthorized personnel from viewing or moving critical information.
Bisignano also made a crucial clarification regarding the core database. "The Numident database had never been moved to a private cloud," he wrote, directly contradicting a central point of the whistleblower's concern.
Broader Context of Data Privacy Concerns
The allegations against the SSA are part of a wider conversation about data privacy within federal agencies. Concerns have grown since the Department of Government Efficiency (DOGE), a team established during the Trump administration, was permitted to work inside various government bodies, including the SSA.
Former officials and privacy advocates have raised questions about DOGE's access to and handling of sensitive government records. Earlier this year, several labor and advocacy groups filed a lawsuit to prevent DOGE from obtaining Social Security data.
However, in a significant development in June, the Supreme Court ruled that the DOGE team could proceed with its work involving the data. This ruling has kept the issue of government data handling in the public spotlight, making the recent whistleblower allegations particularly sensitive for the Social Security Administration.
