OPM likely broke privacy law with DOGE access • The Register

The US federal government’s HR department violated the law and bypassed its own cybersecurity safeguards by giving DOGE affiliates access to personnel records, a federal judge ruled Monday, issuing a preliminary injunction to halt further disclosures.

President Donald Trump established the so-called Department of Government Efficiency through an executive order at the start of his administration to trim what he believed was a widescale waste of taxpayer dollars. Initially led by Elon Musk, the group said it planned to trim trillions in spending, but found nowhere near that. Along the way, the group ran rampant through various government agencies, culling staff and accessing government records, and has since faced numerous lawsuits accusing it of various improprieties.

The Office of Personnel Management (OPM), which oversees HR policies and personnel systems for civilian federal employees, granted DOGE affiliates access to sensitive databases, according to a lawsuit filed in February by government employee unions. The plaintiffs alleged that OPM leadership violated the Privacy Act by disclosing employee records, including Social Security numbers, health information, banking data, and family details, to individuals with no legal right to access them, and failed to implement proper data safeguards as required by federal law.

Judge Denise Cote of the Southern District of New York agreed, and said in her decision [PDF] that the plaintiffs were likely to succeed in showing that the OPM violated the Privacy Act and Administrative Procedure Act by giving DOGE-affiliated individuals access to agency data. Access was granted “even though no credible need for access had been demonstrated,” the judge noted. 

“OPM records can be used to reveal intelligence connections regarding federal employees in sensitive undercover roles or to find federal employees who may be subject to threats of retaliation,” she wrote. “The plaintiffs have no ability to opt out of having their information in OPM systems, and some OPM systems permanently retain information.”

Cote said the plaintiffs had a reasonable expectation that such info would be properly secured, but it was instead given to people who don’t appear to have been properly vetted or trained, and didn’t require such extensive access for their roles. 

In addition to likely violations of the Administrative Procedure and Privacy Acts, the judge concluded that OPM disregarded its own cybersecurity policies by giving DOGE agents access to the data in question, despite well-established training protocols and need-to-know access restrictions outlined in agency rules.

OPM’s careless approach toward cybersecurity is reminiscent of the failures that contributed to the 2015 data breach

“OPM’s careless approach toward cybersecurity is reminiscent of the failures that contributed to the 2015 data breach,” Cote opined. 

For those unfamiliar with the OPM breach that occurred a decade ago, attackers used stolen employee credentials to break into systems and make off with personal data on some 21.5 million people, including present, former, and prospective employees and contractors. There was also a smaller breach a month before in which four million records were stolen. 

In her ruling, Judge Cote warned that OPM’s current handling of DOGE access echoed the cybersecurity lapses that led to its 2015 data breach. She said failures, such as granting access to sensitive records without verifying a legitimate need and failing to ensure individuals completed required vetting and training, could pave the way for another serious security incident.

“The access control policies that OPM purports to follow fell by the wayside” by granting DOGE access, she said. That departure from standard practice “is reminiscent of the ‘failure of culture and leadership’ that the 2016 House Report identified as having led to the 2015 OPM data breach.” 

According to Cote’s order, the plaintiffs requested that OPM be barred from allowing DOGE access to personnel records, permit future access only in compliance with the Privacy Act and APA, require DOGE to destroy any disclosed personal data, mandate new data safeguards, and file a report detailing who from DOGE still has access to OPM systems.

It’s not clear if all those requests will be granted in the actual injunction. Cote indicated in her decision that the injunction’s scope would be addressed in a separate order that has yet to be issued, and the judge didn’t indicate when that order may be cut. 

Cote’s ruling is similar to the order issued in March by a Maryland judge that enjoined DOGE from accessing personal data at the OPM, Department of Education, and US Treasury on grounds that said access also violated the Administrative Procedure and Privacy Acts. That order has since been overturned by an appeals court. Similarly, the US Supreme Court on Friday granted DOGE access to taxpayer data at the Social Security Administration after a lower court had blocked that access. 

This ruling may very well be undone on appeal as well – the Trump administration has been vociferous in its defense of DOGE, and also got a federal judge to walk back a ban on the team’s access to Treasury Department data. 

The OPM didn’t respond to questions for this story. ®