Treasury was ‘fully aware of the risks’ posed by DOGE access to payment systems, court filing says

A Department of Government Efficiency (DOGE) employee was accidentally given the ability to edit a sensitive Treasury payment database, but he never did so and the mistake was quickly corrected.

In a court filing Tuesday, Treasury official Joseph Gioeli III said DOGE staffer Marko Elez was inadvertently given read/write permissions to one payment system database on February 5, but the access was revoked the following day. There is no evidence that Elez knew he briefly had that elevated access, Gioeli said, and Elez never used the “write” privileges to change anything.

The filing adds that the Treasury Department used strict controls to mitigate the cybersecurity risks posed by providing DOGE with access to the systems, “which included potential operational disruptions to Fiscal Service’s payment systems, access to sensitive data elements, insider threat risk and other risks that are inherent to any user access to sensitive IT systems,” said Gioeli, who serves as deputy commissioner for transformation and modernization in the Bureau of the Fiscal Service (BFS).

“Overall, BFS and Treasury leadership were fully aware of the risks presented by [DOGE’s] work,” said Gioeli, a career official. The breadth of access provided to Elez is unprecedented, he said.

Elez was eventually granted read-only access to the database he was mistakenly given write privileges for and only had read-only access to other payment systems’ databases. This level of access reduced risk, but did not “fully eliminate” threats such as “overburdening the system with a complex read-only query,” Gioeli said. Elez’s payment system reviews were only allowed during “low-utilization time periods, to minimize the possibility of operational disruptions.” 

While a forensic analysis of Elez’s laptop is ongoing, Gioeli said so far Treasury officials have found no unauthorized use of the laptop nor evidence that Elez shared any BFS data outside of the U.S. government.

It is unclear how many DOGE team members Elez may have shared payment systems data with.

Risk mitigation

Cybersecurity experts have warned that DOGE’s access to sensitive databases could create an easy opening for a data breach or cyberattack, and the Tuesday filing suggests the Treasury Department deployed several measures with those risks in mind. 

Mitigation strategies included only allowing Elez to connect to Treasury payments systems with a BFS laptop, using “enhanced monitoring” to track his work and continuously logging his activity. 

The enhanced monitoring allowed Treasury officials to block website access and the use of “external peripherals” such as USB drives as well as see any scripts or commands used on the laptop, Gioeli said.

Cloud-based storage services were blocked and the laptop contained data exfiltration detection, which would notify BFS if Elez tried to transmit sensitive data. The laptop also was encrypted, Gioeli said.

Elez and his boss, DOGE official Tom Krause, also committed to only giving Elez access. Krause received “over the shoulder” privileges allowing him to review payment systems and source code, but not access them himself, Gioeli said.

BFS provided “safeguarding and handling instructions for Treasury data for the duration of the project,” Gioeli said, and Elez and Krause were told that no Treasury information or data could leave the BFS laptop.

Elez and Krause also agreed to provide BFS with an “attestation statement” at the end of the project to verify that any copies of Treasury information would be “properly destroyed” and to pledge that no “suspicious or unauthorized access” to BFS information and data occurred.

DOGE’s access to the systems were restricted by a federal judge following a lawsuit filed by 19 Democratic state attorneys general, though those restrictions were loosened by another judge in a subsequent order on Tuesday.