More than a year after the Department of Government Efficiency began deploying across government, new reports are detailing how agencies dealt with DOGE efforts to access sensitive information.
GAO Report Exposes Shocking Treasury Security Failures in 2025
The Government Accountability Office's latest report on how the Treasury Department handled DOGE's quest for payments data may just be the "tip of the iceberg," according to privacy watchdog groups.
GAO's report, released Tuesday, found Treasury gave a DOGE employee access to sensitive payment data last year without following IT security rules. The unnamed DOGE employee had access to "view, copy and print" data from three Bureau of Fiscal Service payment systems between January and February 2025. The bureau processes payments, such as tax refunds and benefits payments, for most federal entities.
GAO also found the DOGE staffer was "inadvertently" granted temporary access that would allow them to "create, modify, and delete data" for one of the three BFS systems. GAO didn't find evidence of changes to the system data before BFS revoked that access.
The activities in GAO's report also touch on DOGE's efforts to access Treasury systems to stop money from flowing to the U.S. Agency for International Development (USAID) in the early days of the Trump administration.
GAO found one of the DOGE staffers at Treasury sent an unencrypted copy of a file containing information about USAID payments, including first and last names, to members of the DOGE team at the General Services Administration.
GAO found Treasury's data loss prevention tool didn't identify or prevent the sharing of the USAID payment information, despite the potential security issues involved.
"Treasury Office of General Counsel officials stated that reviewing all emails sent to other agencies with unencrypted payment information would be infeasible," GAO states. "However, it appears that such transmissions violate BFS's IT security rules and could be categorized as security incidents."
GAO found the DOGE staffer didn't ultimately obtain approval to share the information, either. BFS also didn't hold the DOGE employee accountable for not following IT security rules.
In comments on GAO's draft report, Treasury ultimately agreed with the report's recommendations to define minimum screening requirements for access payments data, strengthening training before granting access to sensitive systems, and update BFS's process for reviewing emails with unencrypted payment information, among other suggestions.
Quinn Anex-Ries, a senior policy analyst at the Center for Democracy & Technology, called GAO's findings "unnerving."
"These findings only highlight the gravity of the issues at stake," Anex-Ries told our platform in an email. "Treasury failed to implement basic safeguards, resulting in DOGE employees inadvertently gaining modification and deletion authority in several systems. This left everyday people exposed to potential data errors or incorrect payment determinations."
John Davisson, deputy director and director of enforcement at the Electronic Privacy Information Center (EPIC), said the report shows Treasury "flouted basic security safeguards" in the rush to give DOGE access to sensitive payment systems.
"Despite Treasury's conclusion that one DOGE employee would be in a position to cause 'inestimable damage' to security interests, the agency couldn't be bothered to get a signed access agreement from the employee or comply with other baseline safeguards," Davisson wrote in an email. "And the result was predictable: that employee promptly broke the law and disclosed sensitive, unencrypted personal data to speed along the destruction of USAID."
Both Anex-Ries and Davisson called GAO's findings "the tip of the iceberg" in terms of what's known about DOGE's data access. GAO said today's report "represents the preliminary results of our ongoing work reviewing DOGE access to Treasury systems."
In a statement, House Ways and Means Committee Ranking Member Richard Neal (D-Mass.) said the GAO report "confirmed our worse fears" about DOGE accessing data.
"While we thank GAO for their thorough work, this report only examined a limited period last year, raising even more questions about security procedures in the time since," Neal said. "Treasury, and the federal government-at large, must act immediately to implement every single one of GAO's recommendations before the consequences get even worse."
GAO also released a separate report today on how DOGE didn't access National Labor Relations Board IT systems from April through mid-April through July 2025. However, GAO's report doesn't cover the period when a whistleblower alleged a DOGE representative compromised sensitive NLRB data. GAO said it didn't want to overlap with an ongoing investigation by the NLRB inspector general.
And several ongoing court cases have challenged DOGE's access to data at the Social Security Administration and other agencies.
"DOGE sought access to systems across the federal government, and we still don't know what happened to the personal data they got their hands on," Anex-Ries said. "Without additional oversight, we may never know the full extent of DOGE's violations of our privacy rights, and many Americans' data may still remain vulnerable.
Read also:
- American teenagers taking up farming roles previously filled by immigrants, a concept revisited from 1965's labor market shift.
- Weekly affairs in the German Federal Parliament (Bundestag)
- Landslide claims seven lives, injures six individuals while they work to restore a water channel in the northern region of Pakistan
- Escalating conflict in Sudan has prompted the United Nations to announce a critical gender crisis, highlighting the disproportionate impact of the ongoing violence on women and girls.
