U.S. Senate Finance Committee Chairman Mike Crapo (R-Idaho) has formally requested information from the Social Security Administration (SSA) following allegations of data mishandling within the agency. The request comes after whistleblower disclosures suggested possible lapses in how the SSA stores and secures sensitive personal information.
“All credible whistleblower allegations must be taken seriously and claims should be thoroughly investigated if warranted,” said Crapo. “It is critical that federal agencies work to implement the strongest protections for Americans’ most sensitive personal information and ensure any data mismanagement is addressed through congressional oversight.”
Crapo’s letter, addressed to SSA Commissioner Frank Bisignano, seeks details on several points related to the agency’s data security practices. These include actions taken by SSA in response to concerns raised by a whistleblower, what security measures are in place for handling sensitive information, when personally identifiable information was first stored in a cloud environment, and how risks are assessed when allowing employees access to transfer data from key databases such as Numident.
The inquiry follows a complaint filed by Chuck Borges, former Chief Data Officer at SSA, who alleged deficiencies in how the agency safeguards personal data in its test cloud environment. Borges also claimed his efforts to report these issues were ignored, which he says led to a hostile work environment and ultimately his resignation.
Crapo emphasized the importance of addressing such allegations due to the large volume of sensitive data managed by SSA. He requested an immediate update regarding whether any unauthorized access or dissemination of information from the Numident database had occurred.
The letter also asks for further explanation about SSA’s choice of Amazon Web Services as its cloud provider and whether risk assessment processes deviated from standard procedures when certain employees were given access privileges.
SSA has been asked to respond immediately regarding potential breaches and provide additional answers by September 23, 2025.
