Data Security
,
Governance & Risk Management
,
Government
DOGE Staffers Allegedly Violated Federal Cyber Best Practices and Data Privacy Laws
Staffers for the Department of Government Efficiency violated federal cybersecurity protocols and data protection laws by bypassing identity and access controls, gaining system-wide access above even the chief information officer of the National Labor Relations Board, according to a whistleblower complaint made public this week.
See Also: Live Webinar | 3 New Ways to Tackle Insider Threats in Government Organizations
The complaint alleges DOGE operatives were given unrestricted control over NLRB’s cloud environment, with no logs or records of their accounts ever being created. It offers one of the most detailed looks yet at how President Donald Trump and billionaire advisor Elon Musk’s task force has reportedly moved to shrink the federal workforce and slash agency spending (see: Whistleblower Accuses DOGE of Data-Harvesting Cover Up).
The filing outlines a series of critical cybersecurity failures that culminated in login attempts from Russian-based IP addresses minutes after the DOGE accounts were activated. Lawyers for Daniel Berulis – the whistleblower behind the NLRB complaint and a veteran DevSecOps architect with a top secret security clearance – said he believes recent DOGE activity at the agency has led to “a significant cybersecurity breach that likely has and continues to expose our government to foreign intelligence and our nation’s adversaries.”
Below is a breakdown of the top cybersecurity failures alleged in the DOGE whistleblower complaint:
Unlogged Creation of High-Level Accounts
Berulis claimed DOGE staffers were granted “tenant owner” level access – higher than even the agency’s CIO – without logs of records of those accounts being created. If accurate, the move would clearly bypass identity and access management best practices. The accounts allegedly had unrestricted control over NLRB’s entire Azure environment, including access to data, infrastructure and log files.
Without proper logging, oversight and forensic investigation would be virtually impossible – as well as a violation of controls around auditing events and least privilege.
Denying Oversight, Auditing Roles Within the Agency
NLRB staff were explicitly told not to use existing, limited auditing roles and to instead grant DOGE full, unmonitored access, according to the complaint. Least privilege principles would have seemingly been ignored in such an instance, disregarding security practices that exist to limit access during evaluations of sensitive data.
Granting full access to the DOGE staffers without any proper justification or oversight contradicts guidance from the Cybersecurity and Infrastructure Security Agency, as well as the Federal Information Security Modernization Act.
Use of Obscured and Generic Admin Accounts
Berulis said the DOGE staffers “may have had new accounts created, then deleted after,” though his team later used a CISA tool to discover two “extra high level permission accounts” with unclear origins. Those accounts were named “NLRB Admin” and the other featured a “generic admin name,” according to the complaint – a known red flag for insider threat or unauthorized access.
NIST and other basic, zero trust principles that demand granular user accountability require more specific account names for logging and tracking purposes.
Creation of Hidden Containers, Expired Access Tokens/p>
The complaint details the discovery of “anomalies” within NLRB’s systems, including DOGE-related accounts that seemingly created opaque Azure containers and Shared Access Signature tokens with brief expiration times, designed to be invisible and temporary. Those sort of moves are classic evasion techniques employed by cybercriminals and foreign adversaries during cloud-based cyberattacks and data exfiltration campaigns.
They’re also clear violations of logging and visibility guidance, which require agencies to produce, retain and routinely assess audit logs to detect and respond to suspicious activity.
Disabled Logging and Network Monitoring
Berulis said he noticed that Azure’s network watcher and conditional access policies had been disabled or altered, internal alerting systems were off and multi-factor authentication had been unexpectedly disabled for mobile access. These changes would effectively cripple an agency’s ability to detect or respond to attacks in real time.
Experts have long warned against disabling logging and MFA on critical systems, saying those basic cyber hygiene practices prevent credential theft, lateral movement and persistent access.
Exposure to Public Internet, Installation of Suspicious External Tools
The complaint said at least one interface had been exposed to the public internet, potentially exposing entry points to core systems and dramatically expanding NLRB’s attack surface. Threat logs also showed that DOGE accounts downloaded GitHub libraries not used by NLRB, according to Berulis, including tools often used for evasion, or in scraping and brute-force attacks.
Installing external tools without proper review violates a host of software supply chain risk guidelines and federal cybersecurity best practices.
No US-CERT Notification After Major Breach Indicators
Despite there being enough red flags to warrant an internal request to notify US-CERT at CISA – which is required after significant cybersecurity events – the effort was eventually shut down by senior leadership. If true, the move likely violates Federal Information Security Modernization Act reporting requirements.
Agencies are legally required to report incidents involving potential compromise of sensitive systems or personally identifiable information.
Login Attempts From Russian IPs Using DOGE-Created Accounts
Shortly after DOGE staffers created their accounts within NLRB’s systems, the complaint states that login attempts from IPs in Primorskiy Krai, Russia were detected using valid usernames and passwords. The login attempts mean these DOGE-created accounts were known and available to actors in potentially adversary states, raising counterintelligence and national security alarms.
The complaint further states that cascading cybersecurity failures led to at least 10 gigabyte of unexplained outbound data that Berulis saw exiting the agency’s NxGen case management system, as well as spikes in outbound traffic and billing usage aligned with the timeline of DOGE’s access. No corresponding records existed to justify the transfers.
The White House did not respond to a request for comment. NLRB has denied there was any breach of its systems.