> The names in the spreadsheet are considered low risk PII because the names are not accompanied by more specific identifiers, such as social security numbers or birth dates. Elez’s distribution of this spreadsheet was contrary to BFS policies, in that it was not sent encrypted, and he did not obtain prior approval of the transmission via a “Form 7005,” describing what will be sent and what safeguards the sender will implement to protect the information.

Literally a parody of government inefficiency and we’re reading news articles about “how it’s good, actually.” The people who make “Form 7005” are the ones we hate, remember?

How does one email a database? With rare exceptions most mail servers have attachment limits of 16MB to 32MB. Just the schema alone could use up a chunk of the attachment limits. Is the title just oddly worded perhaps? Maybe they meant specific query results?

[Edit] Based on replies specific query results of two people into a spreadsheet. Poorly worded title on El Reg's part. Still a security privacy and compliance incident.

From case witness testimony https://storage.courtlistener.com/recap/gov.uscourts.nysd.63...

    12. The forensic analysis also revealed that Elez sent an email with a
    spreadsheet containing PII to two United States General Services Administration
    officials. The PII detailed a name, a transaction type, and an amount of money.

Everyone in this thread should read this filing; it's only a couple of pages.

Previous background on Ryan Wunderly and Marko Elez: https://www.politico.com/news/2025/02/20/treasury-irs-data-w...

"Treasury said Ryan Wunderly will replace Marko Elez on the agency’s DOGE team. Elez examined the federal payments system housed at the Bureau of the Fiscal Service before he resigned from Treasury earlier this month after The Wall Street Journal surfaced racist social media posts."

Isn't the cat already out of the box? If the White House and its dictator are agreeing to it it could mean they don't need full access anymore.

OK that makes a lot more sense. Thankyou.

"database" in legal/business speak (AFAIK) is the more general "organized collection of data" - not the more software engineer focused relational/object/graph- implementations of such.

The actual filing (which is linked from the article) is more specific in its claims:

>The forensic analysis also revealed that Elez sent an email with a spreadsheet containing PII >to two United States General Services Administration officials.

https://storage.courtlistener.com/recap/gov.uscourts.nysd.63...

The word "database" never appears in the filing, that's The Register's word choice.

He’s already resigned because he was linked to racist and abhorrent social commentary; the export was considered low-risk; and based on what happened between coequal branches of government this week, the Administration feels they’re accountable to no one.

So; not a paddlin’.

Export into CSV, attach, done. 10MB can contain a million people's PII.

I bet it was an Excel file and he failed to password-zip it )

It might surprise the good readers of Hacker News, but by reading TFA, and the linked PDF therein, answers may be revealed!

> 12. The forensic analysis also revealed that Elez sent an email with a spreadsheet containing PII to two United States General Services Administration officials. The PII detailed a name (aperson or an entity), a transaction type, and an amount of money. The names in the spreadsheet are considered low risk PII because the names are not accompanied by more specific identifiers, such as social security numbers or birth dates. Elez’s distribution of this spreadsheet was contrary to BFS policies, in that it was not sent encrypted, and he did not obtain prior approval of the transmission via a “Form 7005,” describing what will be sent and what safeguards the sender will implement to protect the information.

This is exactly what the court filing says - he emailed excel spreadsheets with unencrypted data. Presumably from database queries hence why they mention emailing a database. Obviously written by people who are entirely unfamiliar with what a database even is so it makes it sound worse than it is (even though it is still bad, but not quite "send the entire database" bad.)

Clearly a computer genius, he is using Excel....

The manual way of copying a DB or part of it is export to CSV in my experience.

You can store A LOT in that format in 16MB.

E-mailing anything unencrypted is obviously not ideal, but people do it every day. And how problematic is breaking Treasury policy, really? Is this even a legal issue?

"But her emails!"

These issues are as important as people want to make them out to be. But given the discussion of security clearance involved, maybe it is a legal matter? Maybe someone can work out which bits of the Treasury privacy policy https://home.treasury.gov/system/files/236/Department-of-the... are legally binding and which are just guidelines.