Department of Government Efficiency practices at three federal agencies “violate statutory requirements, creating unprecedented privacy and cybersecurity risks,” according to a report that Senate Homeland Security and Governmental Affairs Committee Democrats published Thursday.

The report — drawn from a mix of media reports, legal filings, whistleblower disclosures to the committee and staff visits to the agencies — concludes that the Elon Musk-created DOGE is “operating outside federal law, with unchecked access to Americans’ personal data.” It focuses on DOGE activity at the General Services Administration (GSA), Office of Personnel Management (OPM) and Social Security Administration (SSA).

One previously unreported whistleblower claim is that at the SSA, a June internal risk assessment found that the chance of a data breach with “catastrophic adverse effect” stood between 35% and 65% after DOGE uploaded a computer database file known as Numident, containing personal sensitive information without additional protections against unauthorized access. The potential implications included “widespread PII [personally identifiable information] disclosure or loss of data” and “catastrophic damage to or loss of agency facilities and infrastructure with fatalities to individuals,” according to the assessment.

“DOGE isn’t making government more efficient — it’s putting Americans’ sensitive information in the hands of completely unqualified and untrustworthy individuals,” Michigan Sen. Gary Peters, the top Democrat on the committee, said in a news release. “They are bypassing cybersecurity protections, evading oversight, and putting Americans’ personal data at risk. We cannot allow this shadow operation to continue operating unchecked while millions of people face the threat of identity theft, economic disruption, and permanent harm. The Trump Administration and agency leadership must immediately put a stop to these reckless actions that risk causing unprecedented chaos in Americans’ daily lives.”

The report recommends stripping all DOGE access to sensitive personal information until agencies certify that the initiative is in compliance with federal security and privacy laws such as the Federal Information Security Management Act, and recommends that DOGE employees complete the same kind of cybersecurity training as other federal employees.

It describes the three agencies blocking access to specific offices or otherwise obstructing access. For example, it says that DOGE installed a Starlink network at GSA, but wouldn’t let staff view it. Starlink is the Musk-owned satellite internet service, and the report concludes that Starlink might have allowed DOGE staffers to circumvent agency IT oversight. Data sent over the network “could be an easy target for foreign adversaries,” the report states.

The report also expands upon an alleged attempt at SSA to create a “master database” that would pool data from multiple federal agencies. According to whistleblower disclosures, former SSA DOGE employee John Koval inquired about uploading agency data into a cloud environment to share with the Department of Homeland Security. He was “rebuffed,” the report states, but later worked at DHS and the Justice Department, where SSA data surfaced in some projects, raising further privacy concerns. 

It revisits concerns about DOGE staffer Edward “Big Balls” Coristine having access to sensitive agency data despite reports that he had been fired from an internship at a cybersecurity company for leaking company information to a competitor, and arrives at further conclusions about the risk posed by the ability of Coristine and others “to move highly sensitive SSA data into an unmonitored cloud environment.”

“It is highly likely that foreign adversaries, such as Russia, China, and Iran, who regularly attempt cyber attacks on the U.S. government and critical infrastructure, are already aware of this new DOGE cloud environment,” the report states.

Two of the agencies that were the subject of the report took issue with its conclusions.

“OPM takes its responsibility to safeguard federal personnel records seriously,” said a spokeswoman for the office, McLaurine Pinover. “This report recycles unfounded claims about so-called ‘DOGE teams’ that simply have never existed at OPM. Federal employees at OPM conduct their work in line with longstanding law, security, and compliance requirements.

“Instead of rehashing baseless allegations, Senate Democrats should focus their efforts on the real challenges facing the federal workforce,” she continued. “OPM remains committed to transparency, accountability, and delivering for the American people.”

The SSA pointed to Commissioner Frank Bisignano’s letter to Congress responding to questions about Numident security concerns. 

“Based on the agency’s thorough review, the Numident data and database — stored in a longstanding secure environment used by SSA — have not been accessed, leaked, hacked, or shared in any unauthorized fashion,” a SSA spokesperson wrote, adding, “The location referred to in the whistleblower allegation is actually a secured server in the agency’s cloud infrastructure which historically has housed this data and is continuously monitored and overseen — SSA’s standard practice.”

The SSA spokesperson emphasized there are no DOGE employees at SSA, only agency employees. 

The GSA did not immediately respond to Scoop News Group requests for comment on the Democratic report.

Miranda Nazzaro contributed reporting to this story.

The post Dem report concludes Department of Government Efficiency violates cybersecurity, privacy rules appeared first on CyberScoop.

It’s time for SpaceX to take strong action against scammers abusing the company’s Starlink internet service, Sen. Maggie Hassan said in a letter to CEO Elon Musk on Monday.

The New Hampshire Democrat cited evidence accumulating over the past two years that some Southeast Asian fraudsters scamming billions of dollars from U.S. citizens have leaned on Starlink due to its independence from national telecommunications networks, decentralized structure and the ability to use it on the go.

Media outlets and government officials have turned up Starlink equipment at scam compounds that are largely centered in Southeast Asia, and a United Nations Office on Drugs and Crime report last fall highlighted the trend. 

“While SpaceX has stated that it investigates and deactivates Starlink devices in various contexts, it seemingly has not publicly acknowledged the use of Starlink for scams originating in Southeast Asia — or publicly discussed actions the company has taken in response,” Hassan wrote. “Scam networks in Myanmar, Thailand, Cambodia, and Laos, however, have apparently continued to use Starlink despite service rules permitting SpaceX to terminate access for fraudulent activity.”

Scam compounds have been getting increased attention from Southeast Asian governments and nonprofit organizations in recent months, but there are also signs that the crackdowns aren’t keeping up with the industry’s evolution.

A human rights group last week reported data showing that the scammers’ use of Starlink has more than doubled since Thailand began cutting internet cables to cripple their operations.

SpaceX didn’t immediately respond to a request for comment Monday, and has not responded to past media questions about Southeast Asian scammers using Starlink.

Hassan wants to know whether SpaceX was aware of the scammers using Starlink and if so, when it first knew it, its policies for investigating and restricting the use of Starlink devices, what it’s done to work with law enforcement agencies on the problem and more. She sits on the Senate Homeland Security and Governmental Affairs Committee.

Much of the cybersecurity-related attention SpaceX has received this year is as a potential target of cyberattacks, particularly after White House security experts warned of the security risks of installing Starlink there and President Donald Trump said he would continue using the service. 

SpaceX has a web page dedicated to Starlink-related scams of another sort.

The post Sen. Hassan wants to hear from SpaceX about scammers abusing Starlink appeared first on CyberScoop.