I am no stranger to government data breaches. Years ago, I was provided with free credit monitoring services after my data was included in the OPM breach. The breach timeline mostly overlapped with my time as a cadet at the United States Military Academy, where I had to undergo several background checks as part of preparing to become an officer in the newly created cyber branch of the Army.

During my time in the military (which ended a few years ago), and more specifically in a cybersecurity role, I became increasingly aware of how easily data breaches can occur in complex and chaotic environments, particularly when the wrong people are involved.

Over the last few weeks, the news has been plastered with articles about the Department of Government Efficiency (DOGE) and the potential level of access related individuals have to the personal information of taxpayers as part of ongoing efforts to curb government spending. And to be blunt, there is a problem with government spending that needs to be addressed.

The Government Accountability Office has previously stated that losses to fraud could be as significant as $521 billion a year. Combined with estimates of improper payments in FY 2023 of approximately $236 billion, that is a massive total of possibly $757 billion of taxpayer money that was not used as intended for that fiscal year.

However, approaches to rectify these problems need to be well planned, methodical and involve vetted individuals who are trusted to safeguard sensitive information they work with. DOGE is not adhering to any of these principles and is instead substantially increasing risk to the sensitive information of taxpayers.

One concern regarding data security relates to what appears to be poor vetting of DOGE employees. For example, Brian Krebs recently investigated one DOGE employee and found that the employee was associated with the cybercriminal group “The Com.” Krebs also found that the same employee was fired from a previous role for leaking internal documents. It is hard to believe that this individual truly passed a background check as part of a government vetting process. I can’t help but wonder about the vetting of other DOGE members.

Even if this specific employee isn’t granted direct access to sensitive data, it is likely that they are able to review or otherwise access the data via internal DOGE reports or even just daily internal communications. That is the danger of giving one person access to data on behalf of a larger organization. Information is easily funneled from that individual to all others with a simple tapping of the send button in a chat application even if that exchange doesn’t happen until after leaving a secure area.

And how is DOGE storing that secondhand data? Thus far, it appears that there is no oversight on the internal activities of DOGE and how it handles data once it has it, which further increases risk. Luckily, a federal judge has stepped in and prevented further access to this sensitive taxpayer data, but that order may only be temporary.

Many defenders of DOGE’s access to taxpayer data say that there is no risk because the access is “read-only.” However, my concern is that those individuals could see the data when they should be auditing agencies and not individual taxpayers. There is simply no “need to know” for individual taxpayer information.

This also begs the question of why it appears that it is only possible to give “read-only” access to all information instead of just expenditures by agencies. Is there really no internal data segmentation by purpose or category of data? That itself is deeply troubling and suggests that even in the nearly 10 years since the OPM breach, our government is still not securing our personal information appropriately. Adding more poorly vetted people to the access lists, especially during such a chaotic time, is not going to help Americans.

China was eventually blamed for the OPM breach years ago. Early last year, CISA published an advisory stating that China had also successfully compromised multiple critical infrastructure organizations across the country.

Our adversaries are always watching and looking for weak points to target. DOGE, with its nearly unfettered access to several agencies and sensitive data as well as weakly vetted employees, is an incredibly lucrative target.

Stopping fraud, waste and abuse in the government is important, but we should all demand that risks to our personal data are minimized during that process — particularly when existing laws should protect that data.