Posted by chirau 1 day ago
> it all simply keeps getting less secure, more complex and brittle until the heat death of modernity
Is it modernity? Seems more likely to be archaic economic systems captured by elites and incentivizing the wrong behaviors on all levels.
Need to bring water bills, credit cards, etc... Although not sure how this would work for a 18 year old with 0 of these ahead of time.
I mean is it like a unique database row id which happens to be a non-changeable-lifetime password which is stored in multiple places in plain-text and you can use it to... "unlock some doors"? Make legally binding agreements remotely... ? Or what?
Or it is PII - privately identifying information which is more of a privacy issue here?
With it, people can take out loans in your name, get into your accounts, file fake tax returns and get tax refunds in your name, and generally act as if they're you. Things are getting a little better nowadays (with additional information required) but we still don't have a secure method of identification online / over the phone.
As a German that feels about correct.
They're also as I understand it, used to handle things like sending everyone voter IDs for elections in advance; this is how the government knows who to send the voting cards to.
Bafflingly, the US does NOT have a national identification method that works like this. There's no country-wide identity document that provides the same assurances. As a result, most US entities (government branches & corporations) have settled on a "closest possible"... which is the social security number. A number that's used to identify every person with attachment to the US in some form since social security is something every US citizen has to interact with. (It also includes a ton of non-citizens since as I understand it, social security is something foreign workers also have to interact with, but that's besides the point.) It's a 9 character long numeric string that identifies you as a person... and has almost no revocation mechanism, even if it ends up in a data breach.
Yet in spite of this, it's still used as a country-wide ID mechanism for a lot of different things and replacing it with a proper ID mechanism has as I understand it (not American) very poor support as it's a culture war issue.
So yeah, someone who knows (name, SSN) or especially (name, address, phone, SSN) can do a lot of harm.
I forgot to include the background to this court case. In 2025, the Chief Data Officer of the SSA, Mr Borges, whistleblew that DOGE had unlawfully uploaded a whole copy of NUMIDENT (the SSA datastore) to an insecure server. Here is the filing from Mr Borges.
https://whistleblower.org/wp-content/uploads/2025/08/08-26-2...
SSA told the court that all DOGE access to personally identifiable information (PII) was revoked by March 24, 2025.
That turned out to be false: a DOGE member ran PII searches the morning of March 24, stopping only around 9:30 a.m.; access was not fully cut until about noon.
2) Sent SSA data to a DOGE official outside SSA.
On March 3, 2025, an SSA DOGE member emailed an encrypted file believed to contain names and addresses of ~1,000 people to Steve Davis, a senior advisor to the U.S. DOGE organization (and a DOL employee).
The file likely contained data derived from SSA systems of record.
It is unknown whether Davis received the password or accessed it.
3) Was given PII access during the TRO even though this was barred.
One DOGE member was granted access to 10 PII databases from March 26 to April 2 (never used, but still improper).
Another received a call-center profile that could access PII from April 9 to June 11; whether PII was viewed is unknown.
4) Had broader systems access than the court was told. SSA discovered additional access that had not been disclosed earlier, including:
Systems containing SSA employee records.
Systems controlling building/IT badge access.
Shared workspaces that could pool sensitive data.
A data-visualization tool that could reach PII.
Additional data-warehouse schemas.
5) Engaged in partisan election-related work inside SSA.
In March 2025, a political advocacy group asked two DOGE members to analyze state voter rolls to try to overturn election results.
One DOGE member signed a “Voter Data Agreement” as an SSA employee with that group on March 24, without agency approval.
SSA later referred this conduct to the U.S. Office of Special Counsel for possible Hatch Act violations.
6) Used an unapproved third-party server to share SSA data.
From March 7–17, 2025, DOGE members used Cloudflare links to transfer data.
Cloudflare is not authorized for SSA data storage; SSA still does not know what data were sent or whether it remains on that server.
Far more representative than the exaggeration posted.
It's really not that difficult to post in good faith and let other people make their mind up. This isn't Reddit or X.
btw op has since acknowledged the mistake and submitted another pdf:
https://news.ycombinator.com/item?id=46899288
A more appropriate title for that upload (not the original we were discussing) might be, eg.:
Whistleblower: DOGE created cloud copy of Social Security database without proper security controls
Note that even that is appropriately more cautious than the original title here.
But please see HN guidelines wrt editorializing if you're unsure.
Now that the US Gov. got to join that club we know there will be no consequences. Until execs from companies like Experian and now the US Gov. faces real Jail time, this will happen over and over.
I have not heard of a large breach from a Company for a while, are these so common that news orgs. no longer bother to report them ?
"in March 2025, a political advocacy group contacted two members of SSA’s DOGE Team with a request to analyze state voter rolls that the advocacy group had acquired. The advocacy group’s stated aim was to find evidence of voter fraud and to overturn election results in certain States. "