Working Hypothesis Working Hypothesis
Culture/society/ideas Open

Your Data Left the Building

May 4, 2026 By HWB Huxley
The Working Hypothesis
No Verified Destruction or Notification Mandate for DOGE-Era SSA Data by 2028 Open
Executive Summary

Part one of a series on DOGE-era federal data access: the 2015 OPM breach had defined edges and victim notifications—and SSA’s own 2026 court filings say this story may not.

Part one of a three-part series.

The Office of Personnel Management intrusions disclosed in 2015 ultimately exposed sensitive personal information for 22.1 million people, including security-clearance background investigations and, for many, fingerprints. The federal government spent at least $130 million on an initial identity-protection contract for victims. U.S. investigators linked the activity to China, which Beijing denied.

Inside that breach’s shadow is the ordinary chore of fraud alerts and re-verifying identity to banks and employers—not cinematic espionage, but hours lost proving you are who you say you are.

Hold that shape of harm. We’re coming back to it.

The story everyone is telling

The Department of Government Efficiency (DOGE) arrived in early 2025 with a clear mandate: find waste, cut spending, make government leaner. Elon Musk led the informal initiative; the administration embedded DOGE-linked teams across agencies within the first months. Courts pushed back on pieces of the access. Lawsuits alleged Privacy Act violations. In late May 2025, Musk ended his formal stint as a special government employee after hitting a statutory day limit. The story moved on.

The mainstream version is: chaotic, overreaching, probably reckless—but legally checked before permanent damage. Judges issued restraining orders. Access was litigated. Adults stepped in. Government doing its messy thing, loudly, but ultimately self-correcting.

That version is not wrong about the facts it names. It is silent about the ones it doesn’t.

What the story leaves out

The agencies DOGE touched were not one database of federal personnel files.

The Social Security Administration holds your Social Security number, your full legal name, your date and place of birth, your parents’ names, and the identifier that follows you through tax returns, benefits, and most financial life. Treasury’s payment rails hold the bank account numbers used for tax refunds and direct deposits. OPM still holds background-investigation material for anyone who has applied for a federal security clearance—the same class of records that made the 2015 breach so sensitive.

News reporting and whistleblower allegations in 2025 focused on whether DOGE-linked teams obtained inappropriate access to National Labor Relations Board case-management systems containing confidential worker and employer material (NPR, Krebs on Security).

These systems were never architected like one corporate intranet. They were deliberately siloed—separated by design, not accident. The Privacy Act of 1974 exists because Congress recognized the federal government was accumulating extraordinary quantities of information about Americans, and unchecked accumulation was its own risk. The silos are not mere inefficiency. They are the architecture.

DOGE’s stated mission was to find inefficiencies. The silos were what it found.

The working hypothesis: The 2015 OPM breach spent nine figures on initial victim protections alone and eventually exposed more than twenty million people through a defined incident the government could describe and litigate. What happened under DOGE-era SSA access touches essentially every American—and unlike that breach, SSA told a federal court in January 2026 it still could not verify what information left its systems or whether some of it persists outside agency control. The question is not whether this is serious. The question is whether we treat it that way before learning it the hard way.

The scale problem

In January 2026, SSA filed a notice correcting the record in federal court in Maryland. The filing acknowledged that DOGE personnel had used a third-party environment not approved for storing Social Security data during a window in March 2025 and stated that the agency continued to be unable to verify what information was shared or whether it remains accessible—language widely reported as a breakthrough admission after earlier testimony.

Translated out of legal language: the government could not, at that filing, tell you whether data that left its controlled systems was ever deleted.

Incident shape · Notification economics · As of Jan. 2026 filings ```
OPM · 2015
Known compromise scope → federal tally (~22M) & cohort definitions
Victim notification pathway → letters, fraud-alert templates, ID-services contracts
Remediation bounded enough to budget against (nine-figure initial tranche on the record)
DOGE-era SSA · court record
Broad program access + third-party / cloud paths not approved for crown-jewel extracts
Jan. 2026 correction: agency still could not verify what was shared or whether it remains accessible outside controlled environments
Edge condition: without a reconstructable chain of custody, notification templates built for “named breach, named dataset” misfire.
``` Diagram encodes the structural claim: breach response assumes an accountable perimeter. A gap in verification is not merely “more cyber risk”—it is a gap in the administrative physics of warning people.

That is the sentence that separates this story from the OPM breach. In 2015, the breach had a known shape: a defined compromise, a defined victim population, notification letters, and a remediation budget you could point to on a spreadsheet.

The January 2026 filing does not offer that kind of edge. It offers an agency saying—under oath in litigation—that it lacks verification people downstream can rely on.

Separately, a whistleblower complaint now under review by SSA’s Office of Inspector General alleges that a former DOGE software engineer claimed to have retained copies of highly restricted databases on a personal thumb drive—including NUMIDENT, the master enumeration file behind Social Security numbers—and discussed sharing them with a private employer. The engineer denied wrongdoing to the Post; AP reported that SSA’s internal watchdog was investigating. No court has found the allegation true; treat it as contested—but live—infrastructure risk.

This is personal

If you were affected by the OPM breach, you already know what institutional confirmation feels like when it arrives as a letter and a remediation offer.

You should also know that the long-run identity protections Congress funded for many victims—monitoring and related services—faced explicit discussions in 2025 about whether DOGE-era contract reviews could curtail them before statutorily authorized periods end. The formal acknowledgment that a breach happened is what triggered those programs. If an agency cannot confirm a breach happened in the first place, there is no administrative mechanism that behaves like the OPM playbook.

If you ever applied for a federal job, held a clearance, or had a background investigation—your records sit in systems federal litigation confirms DOGE teams accessed.

For everyone else: your Social Security number, earnings record, benefit history, and the bank path your refund travels still live in the systems those filings discuss.

That is not a claim about motives. It is a claim about what was in the room.

What this series is about

There are two questions this piece cannot answer.

The first is whether your data has already been used against you. You may find out through a frozen account, a fraudulent loan, an identity on a credit report you do not recognize. You may never find out. Notification systems assume an agency can confirm an event occurred.

The second is why this happened—recklessness, intent, politics, money. That matters, and later installments will go there.

This series starts with the banking-hours version of the harm because it is not partisan: it is explaining yourself to strangers who have no reason to believe you. That was the cost for millions after a breach the government could name.

What happens when the breach is one the agency cannot verify—and no letter is coming?

What would change my mind

  1. A transparent, independently verified audit trail showing which SSA-derived datasets were accessed, where they were copied, and documentation confirming those copies were destroyed.

  2. Forensic confirmation—by an independent auditor unconnected to the parties—that the cloud or third-party environments referenced in the January 2026 corrections filing no longer retain SSA-derived data.

  3. A final SSA Office of Inspector General finding that the thumb-drive allegations were fabricated or immaterial, produced through the active investigation and sufficient for a reasonable reader to treat the matter as closed.

Related: This Is What a Cover-Up Looks Like — part two: Daniel Berulis’s court-filed account from the NLRB—disabled logging, data movement, and the US-CERT filing that was ordered dropped.

Related: It Doesn’t Matter Who Did It — part three: political, financial, and competitive use cases in sworn filings—and why the “evil vs. incompetent” debate misses the structural failure.

Related: We Already Paid for This — a parallel look at what happens when political intervention meets federal data infrastructure: the cost does not vanish; it moves.

Related: Born Clean — synthetic identity fraud treats an unused Social Security number like vacant land; verification gaps upstream change what “unused” can mean.

If you found this useful, the best thing you can do is forward it to one person who would push back on it. I’d rather be wrong in public than right in private.

Founding Readers

Founding readers get permanent free access.

The first 777 subscribers read everything, forever, at no cost.

No spam. One-click unsubscribe.