Union groups sue Treasury over giving DOGE access to sensitive data

Union groups that represent 7.2 million people filed a lawsuit Monday against the Treasury Department for handing over information including Social Security numbers, tax return data and bank account details to Elon Musk’s Department of Government Efficiency (DOGE).

Plaintiffs in the lawsuit, which include the Alliance for Retired Americans, the American Federation of Government Employees and the Service Employees International Union, allege that Musk and his surrogates are violating a federal law known as the Privacy Act, which bans the government from sharing individuals’ records without consent or unless a statutory exception applies.

Exceptions include allowing disclosure to “those officers and employees of the agency which maintains the record who have a need for the record in the performance of their duties” or for “routine use” only when an agency formally describes that intended use in the federal register at least 30 days before acting.

DOGE, a White House department created by President Donald Trump, is spearheading an effort to reduce costs across the federal government. It is staffed by workers as young as 19, many of whom appear to have been employed at Musk companies but lack government experience, Wired reported Saturday.

“Trying to decimate federal expenditures by stopping payments that have been approved by other federal agencies would not be a routine, permissible use,” John Davisson, the director of litigation at the Electronic Privacy Information Center and who is not involved in the lawsuit, said in an interview.

DOGE workers are also violating a law which says tax returns and return information should be kept confidential, the lawsuit alleges. That law, known as the Internal Revenue Code, says that officers and employees of the Treasury Department may access return information only if their official duties require them to obtain it for tax administration purposes.

“The scale of the intrusion into individuals’ privacy is massive and unprecedented,” says the lawsuit, which was brought by the Public Citizen Litigation Group and State Democracy Defenders Fund. 

Treasury Secretary Scott Bessent’s decision to give DOGE team members “full, continuous, and ongoing access to [the] information for an unspecified period of time means that retirees, taxpayers, federal employees, companies, and other individuals from all walks of life have no assurance that their information will receive the protection that federal law affords,” it alleges.

The Treasury Department and the White House did not respond to a request for comment.

A vast trove of data

Other data points the lawsuit contends are stored in the Treasury system include date and location of birth; physical and electronic mailing addresses; personal cell phone numbers; bank routing numbers; and household income, assets and liabilities. Name and contact information of employers; driver’s license numbers; credit and debit card numbers; and user names and passwords are also stored, the lawsuit says.

The Treasury payments system includes a debt collection database, according to the lawsuit and Davisson.

That database, known as Integrated Document Management System, houses even more sensitive personal information, including about mental health and disabilities, for between 10 and 99.99 million people, according to a privacy impact assessment conducted in 2019.

There are no more recent privacy impact assessments available, though experts say it is unlikely what is stored has changed.

While the lawsuit doesn’t cite it, Davisson said DOGE workers’ penetration of Treasury’s payment systems likely also violates the Federal Information Security Modernization Act (FISMA), which he said lays out protocols for operating an information system inside the federal government. 

Those protocols were developed by the National Institute of Standards and Technology (NIST), he said, and under FISMA federal agencies are required to adopt many of the standards, including access controls, training requirements for people with direct access to personal data and limits on physical media that can be connected to systems.

“If you roll up to a Treasury server and plug in whatever, something you bought at Best Buy, it probably does not meet the media restrictions and protocols that are set out in those NIST standards,” Davisson said.

The extent of the DOGE team’s penetration into government networks has become clear in recent days. 

DOGE’s alleged installation of an outside server at the Office of Personnel Management (OPM) in order to collect personal data belonging to federal workers triggered a class-action lawsuit filed on January 27. The government workers behind that lawsuit on Tuesday sought a temporary restraining order, alleging that the ongoing use of the server is endangering their personal data, Wired reported.

Over the weekend, DOGE workers reportedly penetrated the U.S. Agency for International Development’s systems. DOGE also has accessed a Department of Education database containing personal information belonging to millions of people receiving federal financial aid, The Washington Post reported Monday. 

The DOGE team has asked for access to Centers for Medicare and Medicaid Services systems, the New York Times reported Monday.

Democrats have begun fighting back. On Tuesday, two House Democrats sent a letter to OPM Acting Director Charles Ezell saying that the administration’s actions at the agency “demonstrate gross negligence, severe incompetence, and a chaotic disregard for the security of our government data and the countless services it enables our agencies to provide to the public.”

Senator Chuck Schumer (D-NY) along with other Democratic Congressional leaders said Tuesday that they plan to introduce legislation to prevent what Schumer called “unlawful meddling in the Treasury Department’s payment systems.” 

Immigration data

There is nothing to stop DOGE from using agency data to find undocumented immigrants, advocates say. An executive order Trump issued in his first administration directed federal agencies to share data with the Commerce Department so that it could determine individuals’ immigration status.

The executive order creating DOGE states that agency heads must give it “full and prompt access to all unclassified agency records, software systems, and IT systems.”

That language is reminiscent of the executive order Trump signed in 2019, said Elizabeth Laird, director of equity and civic technology at the Center for Democracy and Technology. 

The earlier order compelled federal agencies — including Immigration and Customs Enforcement, the Social Security Administration and the Centers for Medicare and Medicaid Services — to share data with Commerce so that it could identify immigrants who were in the country illegally.

“I have determined that it is imperative that all executive departments and agencies provide the Department the maximum assistance permissible, consistent with law, in determining the number of citizens and non-citizens in the country, including by providing any access that the Department may request to administrative records that may be useful in accomplishing that objective,” Trump said in that order.

Allowing DOGE to access data from across the government could be used to further any number of administration goals beyond just finding efficiencies, Laird said.

“We don't know exactly what they want to do, and there's no limitations on what they say they will or will not use this access for,” she said.