Welcome to the CAVEAT Weekly Newsletter, where we break down some of the major developments and happenings occurring worldwide when discussing cybersecurity, privacy, digital surveillance, and technology policy.
At 1,500 words, this briefing is about a 7-minute read.
At a glance.
- Whistleblower claims DOGE potentially exposed Social Security records.
- The US government acquired a stake in Intel.
Whistleblower complaint cites DOGE privacy concerns.
The news.
On Tuesday, a whistleblower report was filed claiming Department of Government Efficiency (DOGE) officials copied millions of Social Security records. In the report, Charles Borges, the chief data officer at the Social Security Administration (SSA), claims that a former DOGE official copied the Social Security numbers, names, and birthdays of over 300 million people to a private server. This date was copied from the Numerical Identification System (NUMIDENT) database to a private cloud environment within the SSA’s cloud infrastructure. Borges alleges that this cloud server could be accessed by other DOGE employees and lacked appropriate security measures.
Borges wrote in his complaint that the server was made in a way that:
“Constitute[s] violations of laws, rules, and regulations, abuse of authority, gross mismanagement, and creation of a substantial and specific threat to public health and safety.”
Borges additionally emphasized that this server was a “very high risk” and could result in having to reissue Social Security numbers if the server were breached.
The SSA commented on the whistleblower claim, stating:
“The data reference in the complaint is stored in a long-standing environment used by SSA and walled off from the internet. We are not aware of any compromise to this environment and remain dedicated to protecting sensitive personal data.”
The knowledge.
This latest whistleblower report comes months after another whistleblower alleged that DOGE officials mishandled sensitive data from the National Labor Relations Board (NLRB) in April. In that instance, the whistleblower alleged that DOGE staffers were able to access NLRB data on unions, legal cases, and corporate secrets and that the data was leaving the agency. The complaint also alleged that DOGE staffers asked not to have their activities logged and also attempted to hide their activities by disabling monitoring tools and deleting access records.
Alongside these whistleblower complaints, DOGE has faced numerous legal challenges to its data access. Since the Trump administration took office, DOGE has faced over a dozen lawsuits alleging Privacy Act violations. These lawsuits are tied to DOGE staffers attempting to access agency data from:
- The Treasury Department’s payment systems
- The Office of Personnel Management
- The Education Department
- The Department of Health and Human Services
These challenges have continued to be contentious, with one reaching the Supreme Court. In June, the Supreme Court ruled in a 6-3 decision to allow DOGE to access data from the SSA. Though courts have largely been ruling in favor of DOGE being allowed to access the requested data, there are significant concerns about how this access could expose the sensitive information of millions of Americans.
Coupling these two complaints together with the numerous other legal challenges that emerged to block DOGE’s access, these instances represent months of challenges to limit DOGE’s access to federal data. This battle has continually centered around what DOGE is legally allowed to access, how they are handling data, and the potential fallouts for mishandling that data.
The impact.
While it is unclear how valid the claims of this latest whistleblower complaint are, these allegations warrant further investigation given their severity as well as who is filing them. Though it will take time to fully understand the nature of this SSA cloud server and how vulnerable it is, the impacts of a breach could impact millions of Americans, exposing them to identity theft and service disruptions.
As this complaint develops and more information is released, American citizens should take time to understand the implications of the complaint and the associated risks. By understanding this situation, people can understand the impacts that a breach could have on their sensitive information and ensure that they are minimizing risks where possible.
US to take partial ownership of Intel.
The news.
On Friday, President Trump announced that the United States (US) government will purchase a stake in Intel by converting provisioned grants into equity. With this sale, the US government will acquire ten percent of the company, which is estimated to be worth $8.9 billion. The government is not taking a board seat and will not have any other governance rights at Intel with this investment. This marks one of the largest government interventions since 2008 during the auto industry crisis.
This purchase is accompanied by an additional $2.2 billion in funding from the CHIPS and Science Act and follows extensive negotiations between President Trump and Intel’s CEO, Lip-Bu Tan.
Mr. Tan released a statement, writing:
“We are grateful for the confidence the president and the administration have placed in Intel, and we look forward to working to advance US technology and manufacturing leadership.”
The knowledge.
This move comes after the US government has been moving to take a greater role in US semiconductor companies. In August, Nvidia and AMD agreed to a deal to pay the US government fifteen percent of their revenues from chip sales to China, with the administration relaxing semiconductor chip export restrictions.
This move drew significant attention, given the national security concerns related to China accessing advanced chips. US Representative John Moolenaar commented on this deal, stating:
“Export controls are a frontline defense in protecting our national security, and we should not set a precedent that incentivizes the government to grant licenses to sell China technology that will enhance its AI capabilities.”
Alongside giving China access to these chips, there are also concerns related to the US government imposing a tax on exports, which is considered illegal. Peter Harrell, a fellow at the Carnegie Endowment for International Peace, expressed concerns with this policy. Harrell emphasized that:
“Regardless of whether you think Nvidia should be able to sell H20s in China, charging a fee in exchange for relaxing national security export controls is a terrible precedent. In addition to the policy problems with just charging Nvidia and AMD a 15% share of revenues to sell advanced chips in China, the US Constitution flatly forbids export taxes.”
Notably, this deal did emphasize that while the government would allow chip sales to China, the export licences would only allow the companies to sell older chips.
Both these deals and the US government’s involvement with Intel demonstrate that the Trump administration aims to continue expanding its involvement with the semiconductor market.
The impact.
This marks a major shift in how Washington is engaging with the semiconductor market. Under the former Biden administration, the focus was on restricting exports and boosting domestic manufacturing efforts through federal grants. However, under President Trump, this strategy has shifted, embracing trade and taking equity stakes in major market companies.
For companies, this shift could result in new opportunities to expand under government-supported deals, but it could also result in deeper federal involvement in day-to-day operations.
Highlighting key conversations.
In this week’s Caveat Podcast, our team sat down with John Anothony Smith, the Founder and CSO at Fenix24. During this conversation, our team talked about how law firms are falling behind on recovery readiness, especially given the rise in human-operated attacks. Alongside this interview, our team also discusses a recent hack impacting the federal court system. For context, this breach targeted the judiciary's electronic case filing system used for filing pleadings and other legal documents.
Like what you read, and curious about the conversation? Head over to the Caveat Podcast for the full scoop and additional compelling insights. Our Caveat Podcast is a weekly show where we discuss topics related to surveillance, digital privacy, cybersecurity law, and policy. Got a question you'd like us to answer on our show? You can send your audio file to caveat@thecyberwire.com. Hope to hear from you.
Other noteworthy stories.
US Commerce Department voids $7.4 billion grant deal.
What: The Commerce Department has voided semiconductor research funds.
Why: On Monday, the Commerce Department voided a $7.4 billion research fund, which was being managed by the National Semiconductor Technology Center. These funds were originally allocated under the former Biden administration. When voiding these funds, the department stated that these funds were illegally created.
For context, this fund was originally managed by the National Center for the Advancement of Semiconductor Technology (Natcast).
Trump signals intent to extend TikTok ban again.
What: President Trump suggests he may extend the TikTok ban deadline.
Why: On Friday, President Trump implied that he would extend the TikTok sale deadline for the fourth time. Currently, the deadline is set to expire on September 17th.
In a statement, President Trump said:
“We have American buyers. And I haven’t spoken to…President Xi [Jinping] about it. At the right time, when we’re set, I’ll do it. In the meantime, until the complexity of things work out, we just extend a little bit longer.”