Crapo Requests Information on Social Security Data Protections

Crapo Requests Information on Social Security Data Protections

Washington, D.C.-Following recent allegations of data mishandling within the Social Security Administration (SSA), U.S. Senate Finance Committee Chairman Mike Crapo (R-Idaho) requested information from the agency to better understand the SSA's data storage and security practices, and to immediately confirm whether sensitive personally identifiable information was accessed, leaked, hacked or disseminated in any unauthorized fashion.

"All credible whistleblower allegations must be taken seriously and claims should be thoroughly investigated if warranted," said Crapo. "It is critical that federal agencies work to implement the strongest protections for Americans' most sensitive personal information and ensure any data mismanagement is addressed through congressional oversight."

In the letter to SSA Commissioner Frank Bisignano, Crapo requests information on:

• What actions SSA took upon receipt of the whistleblower's concerns about the agency's data security practices;

• What security measures are in place to ensure sensitive information is handled in accordance with applicable laws and regulations;

• When SSA first stored personally identifiable information in a cloud environment; and

• How the SSA assesses the risk of providing certain agency employees with the ability to transfer data from the Numident database to a private cloud environment, and if the process diverged from the agency's usual risk assessment process.

Read the full letter here or below:

Dear Commissioner Bisignano:

I write to inform you that my staff and I reviewed information recently made public through disclosures and supplemental documents provided to Congress and the U.S. Office of Special Counsel, by Mr. Chuck Borges, a protected whistleblower and former Chief Data Officer of the Social Security Administration (SSA or "agency") on August 26, 2025.

In his complaint against the agency, Mr. Borges described alleged shortfalls in how SSA safeguards personally identifiable information (PII), in a test cloud environment, including how the agency governs access, management, and storage of such sensitive information. Mr. Borges further alleged that his attempts to report his security concerns to his superiors were ignored, which in turn created a hostile work environment and culminated in his resignation from the SSA on August 29.

As Chairman of the Senate Committee on Finance ("Committee"), I must take very seriously every allegation made by a protected whistleblower. Further, given the large amount of sensitive data under SSA's control, I consider the protection and security of PII held by the agency to be a matter of first importance.

As an immediate first step, considering the seriousness of Mr. Borges' allegations concerning SSA's ability to safeguard data collected and maintained by the agency, please inform the Committee on Finance immediately upon receipt of this letter whether the Numident database itself or any data contained in the Numident was accessed, leaked, hacked, or disseminated in any unauthorized fashion.

To better understand the SSA's data security practices more broadly and the agency's response, if any, to Mr. Borges' allegations, I am providing you with the opportunity to respond to the following questions by September 23, 2025.

1. What actions did SSA take upon receipt of Mr. Borges' concerns about the agency's data security practices, including its handling of the Numident database and the data it contains?
2. What security measures and/or oversight mechanisms are in place at SSA to ensure sensitive data and PII are handled in accordance with applicable laws and regulations?
3. When did SSA first store PII in a cloud environment? Why and when did SSA select Amazon Web Services (AWS) to be the agency's cloud service provider?
4. How did the SSA assess the risk of providing certain agency employees with the ability to transfer data from the Numident database to a private cloud within SSA's AWS cloud environment? Did this process diverge from the agency's usual risk assessment process? If so, how?
5. If there are any other matters relevant to the Committee better understanding the agency's data security practices generally or Mr. Borges' concerns specifically, please provide additional details for the Committee's awareness.

Thank you for your attention to this important matter. I look forward to your immediate response to the first question regarding the status and security of Americans' personal information in the agency's possession, and to the other questions within two weeks.

Sincerely,