Tag:

security

Whistleblower claims DOGE uploaded Social Security data to unsecure cloud server

by admin August 26, 2025

The Social Security Administration’s (SSA) chief data officer, Charles Borges, has filed a whistleblower complaint alleging that members of the Department of Government Efficiency (DOGE) uploaded a copy of a key Social Security database to an unsecured cloud environment in June, the New York Times reported. This may have exposed the personal information of hundreds of millions of Americans. The complaint alleges that under the authority of the SSA’s Chief Information Officer, Aram Moghaddassi, a copy of the country’s Social Security information was held in a cloud environment that lacked any security oversight or adherence to SSA security protocols. The information uploaded was from the Numerical Identification System (Numident) database, and includes the names, Social Security numbers, place and date of birth, citizenship, race, ethnicity, address and even parents’ names of anyone who has ever had a Social Security number, even those who are no longer alive.

“Mr. Borges has raised concerns internally with various authorities in the Chief Information Officer’s (CIO) office and to date has not been made aware of any remedial action. He therefore elevates his concerns out of a sense of urgency and duty to the American public,” the complaint states. “Should bad actors gain access to this cloud environment, Americans may be susceptible to widespread identity theft, may lose vital health care and food benefits, and the government may be responsible for reissuing every American a new Social Security number at great cost.”

The approvals to copy the Numident database were, despite the enormous risk of that information falling into the wrong hands, approved expeditiously, according to the complaint. “I have determined the business need is higher than the security risk associated with this implementation and I accept all risks,” Moghaddassi wrote in a memo. Another senior DOGE official, Michael Russo, is alleged to have signed off on the decision in under half an hour. Before accepting his position as CIO, Moghaddassi worked for then-de facto DOGE boss Elon Musk at both Neuralink and X.

In a statement to the New York Times, SSA spokesperson Nick Perrine said the agency was “not aware of any compromise to this environment” and that “the data referenced in the complaint is stored in a longstanding environment used by S.S.A. and walled off from the internet.”

That DOGE should have access to sensitive data in the first place was the subject of tension within the federal government earlier this year. Several lawsuits attempted to block DOGE from accessing SSA, Treasury and Office of Personnel Management data. Via the so-called shadow docket, the Supreme Court struck down a Fourth Circuit injunction preventing the agency from siphoning SSA data in June. Among his other allegations, Borges claims DOGE regained access to the data during the injunction period.

Source link

August 26, 2025 0 comments

Gaming Gear

The government’s spending review: Citizen data and digital identity projects need high security by default

by admin August 21, 2025

The UK government’s spending review in June set out its plans to invest in Britain’s renewal: its security, health and economy.

Digital technologies featured heavily in the review with government pledging that it will provide “funding directly to departments to build strong digital and technology foundations, modernize public service delivery, and drive a major overhaul in government productivity and efficiency.”

One of the ways it has done this is by introducing a GOV.UK Wallet and a GOV.UK App, which aims to deliver more personalized customer experiences and verifiable digital credentials for citizens.

The pros and cons of centralizing data

Centralizing citizen data and digital identities has clear benefits. It enables more joined up services, reduces duplications allows for more seamless, personalized user experiences and could improve access and efficiency across the NHS and other public services.

For the NHS, for example, a single patient record could help doctors and specialists deliver better, more consistent care across the health service. For citizens interacting with government departments, a unified app and wallet could simplify administrative tasks and improve digital inclusion.

Technology Secretary Peter Kyle has said in recent interviews that, “People’s private data will not be shared outside of government.” However, despite the Technology Secretary’s assurances, this approach does come with significant risks. Centralized citizen data represents some of the most sensitive information any organization could hold. Health records, identity details and government interactions, combined in a single system, are a goldmine for cybercriminals.

And no doubt there will be some concerns from the public regarding its security – particularly in light of recent, very public, high profile cyber-attacks. Over the last 18 months, the UK has seen a series cyber attacks on both public and private sector organizations, including health authorities and councils, as well as the recent M&S and Qantas data breaches.

These incidents have highlighted the vulnerability of critical services and the real-world impact of compromised data, from patient safety to public confidence.

As these services become more integrated and reliant on shared data infrastructure, the risk of a breach also grows. A single point of access to multiple datasets can become a high-value target for threat actors. The more data an attacker can obtain from one place, the more appealing, and damaging, a breach can be.

A proactive approach to information security

With these very real threats, a proactive, systems-led approach to information security must be embedded from the outset.

The government needs to ensure that privacy by design and security by default is in every digital service developed. This means applying rigorous access controls, encryption, and secure development practices across every data touchpoint. That said, it is crucial that continuous monitoring for vulnerabilities and suspicious activities happens throughout the system lifecycle – and not just after deployment.

Similarly, the systems need to ensure that they comply with UK GDPR, the Data Protection Act and other relevant standards.

These requirements must be seen not as a burden by the government but as the bedrock of responsible digital innovation.

Building a high-security posture

To meet these heightened security demands, following the guidance provided by internationally recognized security standards, such as ISO 27001, can be a logical place to start to get ahead of the increased risks to highly personal data this approach represents.

Standards such as ISO 27001 offer a structured, repeatable framework for managing risk, protecting information assets and demonstrating compliance. But it’s more than a tick-box exercise, it is a cultural shift in how risk is understood, communicated, and mitigated across every layer of an organization.

If the government embeds the principles of ISO 27001 into its delivery of these new services from the outset, rather than retrofitting them post-launch, it can design services that are both secure and scalable. It can ensure that it is identifying and evaluating new and emerging threats as digital services evolve.

It will also mitigate risks through policy, controls and continual improvement. But it will also be able to demonstrate accountability and transparency to the public – which is key.

Transparency is key to building public trust

Security isn’t just about systems, it is also about perception. The government’s digital strategy must be underpinned by public trust. Clear communication about how data is used, who has access, what safeguards are in place and what recourse citizens have in the event of a breach is essential.

Publishing high-level information security policies, adopting standards like ISO 27001 and engaging with the public on data protection issues will help foster the confidence needed to make digital services work.

Public sector leaders must ensure that information security is not treated as an afterthought. That means prioritizing risk management now – not waiting for a breach to expose the consequences of delay.

We list the best identity management solution.

This article was produced as part of TechRadarPro’s Expert Insights channel where we feature the best and brightest minds in the technology industry today. The views expressed here are those of the author and are not necessarily those of TechRadarPro or Future plc. If you are interested in contributing find out more here: https://www.techradar.com/news/submit-your-story-to-techradar-pro

Source link

August 21, 2025 0 comments

Product Reviews

Microsoft’s August 2025 security updates are breaking recovery tools on Windows 10 and Windows 11 PCs

by admin August 20, 2025

Microsoft has acknowledged an issue with its recent August 2025 security updates that prevent users from resetting or recovering their systems using built-in Windows tools. According the company, the bug affects older versions of Windows 11 including 23H2 and 22H2 as well as Windows 10 22H2, Windows 10 Enterprise LTSC 2019/2021, and Windows 10 IoT Enterprise LTSC 2019/2021.

Installing this month’s security updates can potentially break the Windows recovery options for users. Those attempting to reinstall Windows without losing their personal files through the Reset this PC feature may run into failures. Similarly, the Fix problems using Windows Update feature, which attempts to reinstall the current version of the OS on your device while preserving all your apps, documents, and settings, is also broken. Microsoft has also warned that the bug could affect IT administrators who rely on the RemoteWipe configuration service provider to reset devices remotely.

According to testing by Windows Latest, attempts to reset a PC on Windows 11 23H2 using the Reset this PC feature causes the process to start and then roll back immediately, leaving the reset incomplete. After this failure, no personal files are lost, but the recovery feature becomes unusable. Additionally, Windows doesn’t give any warning that the reset process can fail, meaning most people won’t realize there’s a problem until they actually try to reset their PC.