Operatives working for Elon Musk have gained unprecedented access to a swath of U.S. government departments — including agencies responsible for managing data on millions of federal employees and a system that handles $6 trillion in payments to Americans.
During the past two weeks, Musk’s group of representatives — a presidential advisory board within the Trump administration known as the Department of Government Efficiency, or DOGE — have taken control of top federal departments and datasets, despite questions about their security clearances, their cybersecurity practices, and the legality of Musk’s activities.
Whether a feat or a coup — which depends entirely on your point of view — a small group of mostly young, private sector employees from Musk’s businesses and associates — many with no prior government experience — can now view and, in some cases, control the federal government’s most sensitive data held on millions of Americans and the nation’s closest allies.
The access by Musk’s DOGE team represents the widest known compromise of federal government-held data by a private group of individuals — and little has gotten in their way.
DOGE has acknowledged few details about its ongoing activities. That task has been left to the media, which has reported questionable cybersecurity practices and the breakdown in long-standing cybersecurity norms that risk sensitive government data from being accessed by nefarious actors.
Much of DOGE’s work is avoiding oversight and transparency, leaving open questions whether cybersecurity and privacy practices are being followed. It’s unclear if DOGE staffers are following the procedures to keep this data from being accessed by other people, or if any other steps are being taken to protect the sensitive data on Americans.
So far, the evidence suggests that security is not top of mind.
For example, a DOGE staffer reportedly used a personal Gmail account to access a government call; and a newly filed lawsuit by federal whistleblowers claims DOGE ordered the connecting of an unauthorized email server to the government network in violation of federal privacy law.
Whether DOGE staffers are bad actors misses part of the point. Acts of subterfuge, espionage, or ignorance could produce the same suboptimal outcome: exposure or loss of the nation’s sensitive datasets.
For now, it’s worth looking at how we got here.
Questionable security clearances
The ease in which DOGE took over the departments and their vast stores of Americans’ data took career officials and U.S. lawmakers by surprise, who continue to seek answers from the Trump administration.
Efforts by Musk to take control of the nation’s data stores also privately alarmed cybersecurity professionals, some of whom have spent their careers in government dedicated to securing Americans’ most sensitive systems and data.
Questions remain about what level of security clearance the DOGE staff have and whether their interim security clearance gives them the authority to demand access to restricted federal systems. On returning to office, Trump signed an executive order allowing administration officials to grant “top secret” and compartmentalized security clearance to individuals on an interim basis with little to any substantial vetting, a sharp departure from long-established protocols.
The confusion over DOGE staff clearances has led to brief standoffs between several career officials at federal departments in recent days. At the U.S. Agency for International Development, or USAID, senior officials were put on leave after standing in the way of DOGE staff to protect classified information, according to the Associated Press. DOGE subsequently gained access to the classified facility at USAID, which reportedly contained intelligence reports.
Katie Miller, an advisor for DOGE, said in a post on X that no classified material was accessed by DOGE “without proper security clearances,” though details of the team’s clearance remains unspecified, including how many people were granted the interim secret clearances.
Several senior lawmakers of the Senate Intelligence Committee said Wednesday that they were still seeking answers about DOGE and what clearance its members have.
“No information has been provided to Congress or the public as to who has been formally hired under DOGE, under what authority or regulations DOGE is operating, or how DOGE is vetting and monitoring its staff and representatives before providing them seemingly unfettered access to classified materials and Americans’ personal information,” the senators wrote.
DOGE’s takeover of government
Within a week of President Trump’s inauguration — and his executive order establishing DOGE — Musk’s staffers began infiltrating a variety of federal agencies. The U.S. Treasury’s sensitive payments systems, which contain personal information of millions of Americans who receive payments from the government, from tax refunds to Social Security checks, was among the first.
DOGE has also gained access to the Office of Personal Management, the government’s human resources department that includes databases on the personal information of all federal workers, and USAJOBS, which has data on applicants who applied for a federal job.
Officials at the OPM said they had no visibility or oversight into Musk’s team’s access to its systems. “It creates real cybersecurity and hacking implications,” they told Reuters.
DOGE’s activity has led to widespread opposition, including some Republicans.
Sen. Ron Wyden (D-OR), who serves as the most senior Democrat on the Senate Finance Committee, called Musk’s access to sensitive federal payments systems a national security risk, given the conflict of interest over his extensive business operations in China. A group of senior Democrats said in a later letter to the Treasury that DOGE’s access to sensitive government data “could irreparably damage national security.”
In a post on Bluesky, former Republican strategist Stuart Stevens called the takeover of the Treasury’s systems as “the most significant data leak in cyber history,” adding: “Private individuals in the data business now have access to your Social Security information.”
The Treasury defended its move to grant access to the department’s sensitive payments systems, confirming in an unattributed response to Democratic lawmakers that Musk’s DOGE team has access to the Treasury’s banks of personal information on Americans. The letter confirms Tom Krause, the chief executive of Cloud Software Group, which owns Citrix and several other technology companies, is now a Treasury employee. Krause has not returned a request for comment.
DOGE has since gained access to multiple sensitive internal systems at the Department of Education, including datasets containing the personal information on millions of students enrolled in financial aid. DOGE staff also demanded “access to all” systems at the Small Business Administration, including contracts, payments and human resources information.
Musk’s team also reportedly has access to payment systems within the U.S. Department of Health and Human Services, and access to data at the U.S. agency that administers Medicare and Medicaid. DOGE is also accessing personnel systems at the National Oceanic and Atmospheric Administration, or NOAA, and plans to access systems at the Department of Transportation.
Domestic and global ramifications
There are untold security risks that come from granting access to the inner data core of the U.S. government to a group of unelected and private individuals with spurious vetting.
To name just a couple of things that could go wrong: Accessing the government network from a non-approved computer harboring malware can compromise other devices on the federal network, and allow the theft of sensitive government information, regardless of whether it is classified. And, the mishandling of personal information on devices or cloud environments that have not met the standards of the government’s top security specifications, or use the strongest security controls, puts that data at risk of further compromise or leak.
These are not unlikely scenarios; these kinds of breaches happen all the time.
Last year alone saw some of the biggest data breaches in history caused by malicious access gained through the personal devices of company employees, who accidentally installed malware by downloading knock-off software onto their personal computers and not using proper security protections like multi-factor authentication. Any compromise of the team’s credentials or access, or any improper handling of sensitive databases could result in the irretrievable loss, theft, or misplacement of sensitive government data.
Perhaps most troubling is DOGE, and its activities, are operating outside of public scrutiny.
Officials and lawmakers tasked with government oversight, reportedly have no insights into what data DOGE has access to within the government, or what its cybersecurity controls or protections are — if any at all. The departmental professionals who have spent much of their careers protecting access to the data stored in these systems cannot do much but stand by and watch as private individuals with little to no prior government experience raid their most sensitive datasets.
Technology and privacy lawyer Cathy Gellis, writing in Techdirt, argues Musk and his DOGE team are likely “personally liable” under the U.S. federal hacking law, known as the Computer Fraud and Abuse Act, which covers the accessing of federal systems without the proper authorization. A court would still ultimately have to determine DOGE’s activity as “unauthorized access” and therefore illegal, wrote Gellis.
There is also the question of how U.S. state governments will respond to the compromise of their residents’ data at the federal level. U.S. states have data breach laws requiring the protection of their citizens’ data, even if the federal government does not. Whether or not Musk’s team’s access to federal systems sparks legal action from the states remains to be seen.
The access also puts relationships with the United States and its diplomatic allies on shaky ground. Allied nations may not want to share intelligence with the U.S. government if they think the information could leak, spill into the public domain, or otherwise get lost as a result of the breakdown in cybersecurity practices aimed at protecting sensitive information.
In reality, the cybersecurity consequences of DOGE’s ongoing access to federal departments and datasets may not be known for some time.
Contact Zack Whittaker on Signal and WhatsApp at +1 646-755-8849. You can also share documents securely with TechCrunch via SecureDrop.