Doge Put Critical Social Security Data at Risk, Whistle-Blower Says
Key topics
A whistle-blower's bombshell claim that a government agency, DOGE, put sensitive Social Security data at risk has sparked a heated debate about data security and the role of courts in preventing potential harm. While some commenters, like shadowgovt, argue that courts can only address harm after it occurs, others, such as Eddy_Viscosity2, counter that courts can indeed intervene before harm is done through injunctions. The discussion reveals a nuanced understanding of the laws governing data storage, with some pointing to the Privacy Act of 1974 as a relevant regulation, as noted by thesuperbigfrog. As the conversation unfolds, it becomes clear that the intersection of data security, government accountability, and judicial power is a complex and timely issue.
Snapshot generated from the HN discussion
Discussion Activity
Active discussionFirst comment
1m
Peak period
17
6-9h
Avg / period
4.6
Based on 55 loaded comments
Key moments
- 01Story posted
Aug 26, 2025 at 9:37 AM EDT
4 months ago
Step 01 - 02First comment
Aug 26, 2025 at 9:38 AM EDT
1m after posting
Step 02 - 03Peak activity
17 comments in 6-9h
Hottest window of the conversation
Step 03 - 04Latest activity
Aug 28, 2025 at 11:08 AM EDT
4 months ago
Step 04
Generating AI Summary...
Analyzing up to 500 comments to identify key contributors and discussion patterns
Want the full context?
Jump to the original sources
Read the primary article or dive into the live Hacker News thread when you're ready.
The fact that the courts (largely SCOTUS) has allowed this whole mess to go on is bonkers. These are potentially terrible results for citizens by an organization that continuously has shown no care for the rights of citizens ... and yet is given a free hand to do what it wants.
There's no negative impact to saying "no you can't do the thing until you get your security shit together".
Avoiding ending up in court is the purpose of agency policy, and... gestures widely at the current state of the United States Executive regarding policy adherence.
What you're describing is an injunction, and in general, courts are loathe to hand them out (this one notwithstanding). It happens, but the bar is generally extremely high. Even prior to Trump, I wouldn't expect one for this category of executive operation for the same reason that I wouldn't expect one if someone complained that the government was physically transferring PII in an agent's car instead of a Brinks truck.
Another is the NIH funding, where lower courts agreed and SCOTUS over-turned. https://www.npr.org/2025/08/21/g-s1-84441/supreme-court-nih-...
Consider the same SCOTUS and its block on Biden's student loan relief. A notable example because the president has clear authority to waive or modify the loans. But it was blocked.
To my knowledge there is no law enacted by congress that dictates how SSN data is stored. Congress created the social security apparatus but day to day operations of said apparatus are in executive branch and executive branch ultimately carries the wishes of the president. So if president directs part of executive branch (DOGE) to audit another part of executive branch (social security) it's legal and works exactly as the constitution prescribed.
Like the Privacy Act of 1974?
"The Privacy Act prohibits the disclosure of information from a system of records absent of the written consent of the subject individual, unless the disclosure is pursuant to one of twelve statutory exceptions."
https://en.wikipedia.org/wiki/Privacy_Act_of_1974
https://www.justice.gov/opcl/privacy-act-1974
Federal agencies are subject to this law and these actions are violations of the law: https://en.wikipedia.org/wiki/Privacy_Act_of_1974#Under_the_...
some psychopaths stole a lot of personal data from the US federal government, and we don't know who took it, what they took, what they did with it, or why.
but don't worry, that's Politics, and so we should just ignore the crimes being done in public and talk about how we can enrich the technofascists who might give you some equity if you work hard.
Yeah, but this is always true. And it didn't happen.
I think if what you’re working on is very low stakes, e.g. the initial versions of Facebook, or an AI music generator app, and maybe even marketing, it’s not unreasonable to try and move really quickly because the likelihood of real damage is pretty low.
Of course when you’re dealing with money or social security data or medical stuff, it’s different; that stuff is very much “move slow and don’t break anything!”
> How about move fast and test/verify/validate shit instead?
Because that inherently isn’t moving fast.
I don’t completely agree with the “Move Fast And Break Shit” mantra myself, but I think it comes out of genuine frustrations from the enterprise world.
I worked at a BigTechCo [1] in the past, and it felt like I would spend twenty minutes doing a ticket, and it would take two days for everyone to “verify” my PR. Even doing a quick fix for a null pointer exception can take three or four days to get deployed as a result of this. The stuff I was working on was not high stakes. I wasn’t dealing with money or medicine or pacemakers or weather analysis or anything like that.
The Move Fast and Break Shit stuff comes as a bit of an overcorrection on this, but I think fundamentally the idea is that a lot of this stuff really isn’t that important, and it’s better to just deploy something that “probably works” and fix problems as they happen.
[1] It’s not too hard to find based on my post history but I politely ask you do not post specifics here.
2) they very easily could have determined how readily the bot talks about suicide under guise of "character development" or whatever they call that very well known jailbreak.
3) move fast and break shit with social media and AI is sociopathic. Better to save it for the todo apps. At this point MFABS is just another way to say unprofessional software engineering in favor of more profit.
Not what I meant. Even if the test suite itself executed instantly, which it doesn't and it's ridiculous to assume that test suites are "well designed" in the average case, it's still the bureaucratic slow nightmare of "enterprise development".
> they very easily could have determined how readily the bot talks about suicide under guise of "character development" or whatever they call that very well known jailbreak.
Even if it could be detected it is absolutely in no way implied, or even suggested, that having a bureaucratic enterprise test suite would have detected that. That's just an assertion that you're making.
> move fast and break shit with social media and AI is sociopathic.
As I said, I don't completely agree with the mantra. I just said that it comes out of a legitimate frustration with how awful enterprise development can be.
> At this point MFABS is just another way to say unprofessional software engineering in favor of more profit.
I don't disagree with this, hence why I said it's ok for stuff that's low-stakes. If you're working on something like, for example, a music recommendation system, and the system accidentally plays a Taylor Swift song instead of Metallica, and this happens because some software wasn't properly tested, it really isn't a big deal, somehow the metal-head will survive.
"Professional" and "unprofessional" aren't well defined terms. There are times when it's ok to half-ass something because it's better to just get something that works instead of getting something that's perfect. There are lots of applications, maybe even most applications, where that doesn't apply and it's better to try an strive for perfection, but it is intellectually dishonest to pretend that everything silicon valley is working on is high-stakes and that striving for perfection immediately is actually beneficial.
I would love a universe where everyone designed everything in TLA+ (or something similar) before building software, this would make me irrationally happy, but I understand that it's not realistic or even reasonable to do this for every application.
Yet politicians continue to act like the government should operate like a business and for some reason all of us working in corporate America think this is a good idea...
The federal government certainly isn't perfect but the solution is not to try and make it more like the corporate dystopia.
Most companies nowendays claim to be "Move Fast and don't break shit" when in reality they're "Move Fast and Break Shit". See the whole CrowdStrike debacle [1], both sides of that lawsuit are in the wrong here. Crowdstrike shouldn't've down a rapid deployment like that and Delta wasn't supposed to use the Falcon Agent on those systems. They both choose to move fast without verification and broke stuff. Neither of them are going to say that "Move Fast and Break Shit" is their style but it is!
[1]: https://en.wikipedia.org/wiki/Delta_Air_Lines_v._Crowdstrike
Yet!
https://federalnewsnetwork.com/workforce-rightsgovernance/20...
It’s not weird to think that maybe his new gestapo would be doing that too.
> The agency’s chief information officer Aram Moghaddassi approved the move to copy the database to the agency’s cloud, saying he “determined the business need is higher than the security risk” and that he accepts “all risks” with the project.
It's like co-signing a $1M loan when you only have $100 to your name.
They made no effect to ensure security and will do so again.
It sounds more like the CDO is butthurt that he's being ignored. Note that his claim says they uploaded it into an agency controlled aws environment that apparently lacking in independent security controls.
So he's saying his agency runs insecure cloud servers?
"Meanwhile, the Vice president of the United States has been lashed out of office and disbarred in his home state of Maryland, the president himself is teetering on the bring of a Burglary/Conspiracy indictment that will mean certain impeachment, and the whole structure of our government has become a stagnant mockery of itself and everybody who ever had faith in it"
https://www.politico.com/news/2025/08/12/trump-doge-contract...
Note the above story has already been submitted to HN - and flagged. Clearly there is a cabal of Musk/MAGA supporters gaming HN moderation to make sure a story from a reputable outlet, doing appropriate investigation and data analysis, about a tech/IT organization, claiming to do revolutionary improvements to the tune of billions of $, led by an "innovator" who might be the poster child of "hackers" and "startup founders" and whose interviews have been on HN front page repeatedly, is buried.
If the Therac-25 accident happened today and Musk was involved, would HN as it is now allow people to read and learn about it?
You can get an inconvenient approximation of challenge/response by freezing your reports with the bureaus and only unfreezing them briefly when applying for new credit.
7 more comments available on Hacker News