Consider This from NPR - Did DOGE take sensitive labor data?
Episode Date: April 15, 2025President Trump's Department of Government Efficiency team, or DOGE, appears to be grabbing sensitive data from all over the government. A whistleblower has come forward by filing an official disclosu...re to Congress about concerning activity on the systems at one independent federal agency, the National Labor Relations Board. Elon Musk says DOGE is searching for savings throughout the government. But is the data being accessed valuable? For sponsor-free episodes of Consider This, sign up for Consider This+ via Apple Podcasts or at plus.npr.org.Email us at considerthis@npr.org.Learn more about sponsor message choices: podcastchoices.com/adchoicesNPR Privacy Policy
Transcript
Discussion (0)
It was a Friday afternoon in February when Daniel Barulis got a call from his boss.
Doge would be arriving soon.
I was working on a spreadsheet for some budgeting stuff and I got a call from my boss saying,
hey, it's possible Doge will show up.
Doge is the new federal cost-cutting unit effectively led by billionaire Trump adviser
Elon Musk.
The following week, according to his official disclosure to Congress,
Barulis and his colleagues watched a black SUV with a police escort pull into the parking
garage of the National Labor Relations Board in southeast Washington, D.C. The small, independent
federal agency investigates and adjudicates complaints about unfair labor practices. It stores reams
of potentially sensitive data, such as private legal notes in ongoing labor investigations
or confidential lists of union organizers. Most of that data lives on the cloud, a virtual
computer system that can be accessed remotely. It is Barulis' job to watch over the cloud, to make sure no single user has
access to data or systems they don't need. But for Doge, those policies and guidelines didn't
seem to apply, Barulis says. They had a very specific request.
Barulis' voice-over- Do not log the accounts, don't log the access, and stay out of our way. That was just the start for Baroulos and his colleagues.
That was a huge red flag.
That's something that you just don't do.
It violates every core concept of security and best practice.
After his suspicions were raised, Baroulos was able to hunt down a few details about
what took place while Doge had access.
Baroulos put them all in a whistleblower disclosure to Congress.
Now, there's a ton of complicated technical detail, but here's what it says.
There is clear evidence Doge got the highest level access to the system, that a big chunk of
data left the agency's internal case management system, followed by another chunk of data leaving
the agency itself, and that whoever had done
those things had turned off security tools and network monitoring logs.
They deleted records and appeared to try to disguise the chunks of data leaving the agency
as routine web traffic.
And after the Doge accounts were created, someone with an IP address in Russia started trying to log in to the
NLRB's system using a username and password that Doge had created. Even though the attempts were
blocked, Barulis says that made him worried the system was more vulnerable now.
Consider this. Elon Musk's government entity, known as DOGE, says it's searching for savings
throughout the government, but is the data being accessed valuable in other ways?
From NPR, I story that you just heard from Daniel Baroulis, he shared
it with my NPR colleague Jenna McLaughlin. She picks up from here with what happened
next.
The NLRB tells NPR the agency did not authorize DOGE to access their systems and that there's
no record of DOGE requesting it.
They also said there was a recent internal investigation that ruled out a breach.
However, the disclosure includes forensic evidence and records of communications that
seem to tell a different story.
Why was that done?
And that's a purposeful effort.
That doesn't just happen.
Logs don't just disappear.
Tools don't just turn themselves off randomly. Everything in a computer has a cause and effect. That means it has to have
a trigger. NPR has talked to 10 outside cybersecurity
experts, embedded in companies, government agencies, and the private sector, who reviewed
Perulis' claims. They say the activity is suspicious and that there's no reason a legitimate
user would act this way or remove data that is protected by multiple federal laws, including the Privacy Act.
They say it is hard to definitively prove what happened without further access to the NLRB
systems, or without an investigation by agencies with more resources, like the FBI.
But from what they can see, none of this behavior is normal. They told NPR,
the shadowy tactics described in the disclosure are the kinds
of things criminals and hackers from China and Russia like to do. Meanwhile, several
labor law experts who spoke to NPR say they believe there is no possible reason why Doge
should have had access to or removed NLRB-sensitive labor data.
There is nothing that I can see about what Doge is doing that follows any of the standard procedures for how you do
an audit that has integrity and that's meaningful and that will actually produce results.
Sharon Block is the director of Harvard Law School's Center for Labor and a Just Economy.
She has held key labor policy jobs in multiple administrations, including as a member of the National Labor Relations Board. She said she thinks Doja's statements about
cutting waste and its behavior don't match up.
That mismatch between what they're doing and what we know, the established professional
way to do what they say they're doing, that just kind of gives away the store that they
are not about actually finding more
efficient ways for the government to operate.
The concerns aren't limited to just cybersecurity or exposure of union data.
For Block and others, one of the most troubling things is that the NLRB has multiple ongoing
investigations into Elon Musk's companies, including SpaceX and Tesla.
In a recent interview with Fox News' Sean Hannity, President Trump and Musk said business interests wouldn't pose a conflict.
I mean I haven't asked the president for anything ever.
Also I'm getting a sort of a daily proctology exam here. You know, it's not like
I'll be getting away from something in the dead of night.
Neither the White House nor Doge responded to NPR's request for comment.
But so far, neither Trump nor Musk has provided evidence of any firewall
between Musk and
the data Doge has access to.
Musk or anyone else who gets this data could use lists of union leaders to blacklist people,
or fire them.
They could spy on competitors.
It could give them big advantages in court or in business.
It's not just that he's a random person who's getting access to information that a random person shouldn't have access to.
But if they really did get everything, if that possibility is accurate, then he has information
about the case that the government is building against him. After Barulis dug through the agency
records, he alerted his colleagues. According to his disclosure, many of them shared his concerns, and they decided they'd
launch a breach investigation and call in experts from other agencies to help.
The NLRB says those concerns were investigated and it was determined there was no breach.
But Barulis' disclosure makes clear that it's the possibility of an insider threat
that warrants a closer look.
It's the removal of evidence of potentially suspicious activity that concerns him. That's part of the reason he decided to speak up.
At the end of the day, even if it's logically not the right choice, if it morally compels
me, I feel I wouldn't be able to live with myself otherwise. To know that this data was
out there, it's going to impact these cases. It's going to cost people their real livelihoods.
There are now over a dozen court cases revealing how Doge has mishandled sensitive data, from
social security databases to treasury payment systems.
A source working on Capitol Hill who requested anonymity to discuss ongoing sensitive investigations
says their staff has multiple other whistleblower reports about Doge exfiltrating sensitive data
for unknown reasons.
I believe with all my heart that this goes far beyond just case data.
In other words, it could be social security numbers, private addresses, health care data,
immigration status, you name it.
Barulis hopes to inspire others to speak up.
That was NPR's Jenna McLaughlin.
This episode was produced by Audrey Nguyen and Alejandra Marquez-Hansen.
It was edited by Brett Neely.
Our executive producer is Sammy Yinnigan.
It's Consider This from NPR. I'm Mary Louise Kelly.