Whistleblower: Musk’s DOGE Stole Data, Caused Breach at U.S. Agency – Source: securityboulevard.com

A cybersecurity specialist with the U.S. National Labor Relations Board is saying that technologist with Elon Musk’s cost-cutting DOGE group may have caused a security breach after illegally removing sensitive data from the agency’s servers and trying to cover their tracks.

In a lengthy testimonial sent to the Senate Intelligence Committee and made public this week, Daniel Berulis said in sworn whistleblower complaint that soon after the workers with President Trump’s DOGE (Department of Government Efficiency) came into the NLRB’s offices in early March, he and other tech pros with the agency noticed the presence of software tools similar to what cybercriminals use to evade detection in agency systems that disabled monitoring and other security features used to detect and block threats.

The testimony was sent to Senator Tom Cotton (R-AR), chairman of the committee, and Senator Mark Warner (D-VA), the panel’s vice chairman.

Covering Their Tracks

For example, one such tool generated IP addresses for web scraping and brute-force operations, he said. At one time, Berulis saw that controls used to prevent insecure or unauthorized mobile devices from logging into the agency’s cloud tenant were disabled in Microsoft’s Azure Purview. The DOGE crew also deleted access logs.

Because of such measures, Berulis and others were unable to track who was accessing the data or where the data was going, though he could see that vast amounts of data were being moved.

At one point, he said, he found that at least 10 gigabytes of data had been removed from the agency’s network, though it could have been more, though he said it was difficult to discern because the data could have been consolidated or compressed.

“This opens up the possibility that even more data was exfiltrated,” he said in his statement. “Regardless, that kind of spike is extremely unusual because data almost never directly leaves NLRB’s databases.”

User with a Russian IP Tries to Get In

Just as troubling was that soon after the DOGE workers accessed the agency’s systems, cybersecurity specialist noticed that a a user with a Russian IP address started trying to log into the systems.

“Those attempts were blocked, but they were especially alarming,” Berulis said. “Whoever was attempting to log in was using one of the newly created accounts that were used in the other DOGE related activities and it appeared they had the correct username and password due to the authentication flow only stopping them due to our no-out-of-country logins policy activating.”

The unknown user with the Russian IP address tried to log into the system more than 20 times, and that many of such attempts occurred within 15 minutes of the DOGE engineers creating those accounts.

Widespread Concern About DOGE

Berulis’ testimony echoed the concerns of many government employees at various agencies after the crew from DOGE – a non-official agency created by Trump and led by Musk supposedly to ferret out wasteful government spending – got access to data in their systems. Several lawsuits filed complaining about the vast access DOGE had to sensitive data are making their way through the courts.

Trump has praised DOGE’s work in slashing budgets and firing federal workers, and his government has ordered officials at these agencies to give the group full access to data and systems.

Berulis said he and others were told by NLRB bosses that “we were to hand over any requested accounts, stay out of DOGE’s way entirely, and assist them when they asked. We were further directed not to resist them in any way or deny them any access.”

He said he and another person in late March reported their concerns to a federal body within CISA – US-Cert – but about a week later were told that “instructions had come down to drop” the reporting to US-CERT and not file a report.

Call for Investigations

In a letter accompanying the written testimony, Berulis’ attorney, Andre Bakaj with the Whistleblower Aid group, said the combination of someone using an IP from Russia trying to log in using valid credentials like usernames and passwords and data being exfiltrated from systems by DOGE to unknown servers should result in a Congressional investigation.

DOGE’s activities “have resulted in a significant cybersecurity breach that likely has and continues to expose our government to foreign intelligence and our nation’s adversaries,” Bakaj wrote.

Threats in the Physical World

The lawyer also said that Berulis was physically threatened by unknown people while working with the law team on the statement. The threats included a note taped to a door at Berulis’ home that included photos taken by drones of him walking in the neighborhood. The note also referenced the sworn statement.

“While we do not know specifically who did this, we can only speculate that it involved someone with the ability to access NLRB systems,” Bakaj wrote.

A spokesperson with the NLRB has denied the details in Berulis’ statement to news outlets – something they claimed was shown in an internal investigation – and that DOGE staffers were never given access to agency data.

Representative Gerald Connolly (D-MA), ranking member of the House Committee on Oversight and Government Reform, said that after Berulis’ disclosures and a NPR report on the case, he is asking Luiz Santos, acting inspector general at the Department of Labor, and Ruth Blevins, NLRB inspector general, to launch an investigation of DOGE’s actions at the agencies.

Connolly said the group was engaged in “technological malfeasance and illegal activity” and noted that Musk’s companies face enforcement actions by both agencies, creating a conflict of interest.