A now-former DOGE aide violated US Treasury policy by emailing an unencrypted database containing people's private information to two Trump administration officials, according to a court document filed Friday.
That filing pertains to a February lawsuit brought by New York Attorney General Letitia James and 18 other state AGs challenging DOGE's access to the Treasury Department's Bureau of Fiscal Services (BFS), which disburses trillions of dollars annually to US households, federal employees, and contractors including Social Security and Medicare benefits, tax credits, and grants and payments.
DOGE being the Trump-blessed unit, operated by the President's éminence grease Elon Musk, that has been going around the federal government looking for costs to trim, projects and programs to cancel, and thousands of civil servants to lay off. DOGE had been poking around inside the Treasury's systems ostensibly to find evidence of fraud and to flag up transactions the Tesla tycoon disapproved of, which New York et al in their lawsuit argue was digitally insecure and legally unsound.
The latest filing [PDF] contains sworn testimony of David Ambrose, the chief security and privacy officer at the BFS, who told the court that then-DOGE operative Marko Elez violated Treasury rules by sending the unencrypted database including personally identifiable information and by not obtaining prior approval for the transmission.
Elez, who had been granted access to BFS systems and equipment in January and early February, resigned soon after when evidence emerged linking him to a Twitter account that had pushed for hate against Indian people, advocated for a "eugenic immigration policy," and boasted: "I was racist before it was cool."
After his departure, Treasury security personnel performed a forensic analysis of Elez's presumably administration-assigned email account and government-issued laptop, according to the testimony.
This analysis "revealed that Elez did not make any alterations or changes to bureau payment systems," it notes.
As an aside, that's important because it was earlier speculated or rumored Elez had been given full super-user read-write access to production Treasury systems to alter payment processes and information, and had used that capability, but it turns out – according to the department's senior IT staff at least – that wasn't quite right, and that Elez had much more locked-down access, confined to a govt-issued laptop, a secure sand-box environment with a copy of the dept's source code, and a read-only view of data. There was no ability to push changes to production, we're told.
Earlier testimony submitted in the case stated Elez made at least one change, albeit indirectly via Treasury staff, to identify certain payments, seemingly so that the Secretary of State could more easily review them.
And Elez was also accidentally given read-write-level access at one point, but this was quickly changed to read-only, and no evidence was found that he had used that privilege or was even aware of it.
The latest testimony adds the email with a spreadsheet containing personal info is a different story to the inspection of payment system code, however. The data included a name (either a person or entity — the court document doesn't specify), a transaction type, and an amount of money.
While the analysis concluded the info is "low-risk," because it didn't also include social security numbers or more specific identifiers, "Elez's distribution of this spreadsheet was contrary to BFS policies," the testimony claims.
Specifically: "It was not sent encrypted, and he did not obtain prior approval of the transmission via a Form 7005, describing what will be sent and what safeguards the sender will implement to protect the information," it continues.
The testimony also addresses Elez's security clearance, which has been a point of contention among the state AGs and Democratic lawmakers. Elez was granted an interim secret clearance on January 22, and as such was "eligible to access the Bureau's Systems and Equipment." ®