A former DOGE employee transmitted an unencrypted database containing personal information to two officials from the Trump administration, constituting a violation of U.S. Treasury Department policy. This fact emerged in court documents.
The incident is linked to a lawsuit filed in February by the Attorney General of New York, alongside 18 other state attorneys general. The lawsuit concerns DOGE’s access to the Bureau of Fiscal Services (BFS) of the U.S. Treasury, which is responsible for distributing trillions of dollars to American families, government employees, and contractors, as well as administering social benefits, the Medicare program, tax credits, grants, and other financial disbursements.
A newly submitted court document includes sworn testimony from David Ambrose, Chief Security and Data Protection Officer at BFS. He informed the court that former DOGE employee Marco Elez had violated Treasury regulations by transmitting an unencrypted database containing personal data without obtaining prior authorization for its transfer.
Elez gained access to BFS systems in January and early February but soon resigned after it was revealed that he had maintained an account on X* where he posted racist statements and advocated for a so-called “eugenic immigration policy.”
Following Elez’s departure, Treasury cybersecurity specialists conducted a forensic analysis of his email and corporate laptop. The examination determined that Elez had not made any alterations to BFS’s payment system, thereby dispelling rumors that he had unrestricted access to Treasury production systems. Instead, Elez possessed only a laptop with a secured testing environment, a copy of the source code, and read-only access to data, without permission to modify it.
However, previously submitted evidence suggests that Elez had, at least indirectly, influenced the identification of certain payments to facilitate their verification for the U.S. Secretary of State. Additionally, it was discovered that Elez had, for a brief period, inadvertently been granted write access, though this status was swiftly revoked and reverted to read-only. At present, there is no evidence that he utilized or was even aware of this elevated access.
The transmission of the database containing personal data constitutes a separate violation. According to court filings, the database included names (of individuals or organizations), transaction types, and amounts. While it did not contain Social Security numbers (SSNs) or other critically sensitive details, its unencrypted transfer, without the required Form 7005 authorization, was deemed a breach of BFS policy.
Witness testimonies also touched upon the level of security clearance granted. Elez was issued a temporary “Secret” clearance on January 22, enabling his access to BFS systems and infrastructure. This aspect has become a focal point in the legal proceedings, raising concerns about the depth of vetting for DOGE employees before they are granted access to government data.
Recent reports indicate that over 100 CISA employees were dismissed without prior notice in late February and early March. Among those affected were Red Team specialists responsible for simulating cyberattacks to uncover vulnerabilities, as well as incident response experts. The layoffs were reportedly initiated by the Department of Government Efficiency (DOGE), led by Elon Musk.
