Cybersecurity failures leave US Social Security data at risk

The U.S. Government Accountability Office (GAO) issued a public rebuke of the Social Security Administration (SSA) for failing to resolve 11 open recommendations tied to cybersecurity and information technology management.

In a July audit report addressed to SSA Chief Information Officers Aram Moghaddassi and Michael Russo, Congress’ investigative branch identified items critically linked to persistent federal high-risk areas and warned that continued inaction could jeopardize sensitive personal data and undermine public confidence in one of the federal government’s most essential service providers.

At the heart of GAO’s findings lies SSA’s failure to implement event logging requirements which were outlined by the Office of Management and Budget (OMB). These requirements, first codified in OMB Memorandum M-21-31 in the aftermath of the SolarWinds cyber breach, are part of a broader government-wide initiative to modernize incident response protocols. They mandate that federal agencies reach Event Logging Tier 3 maturity time log collection, cross-system integration, and the ability to search log data within 72 hours of a cyber incident.

SSA’s noncompliance with this mandate, which had been documented by GAO in 2023, leaves the agency blind to advanced threat indicators. Without complete, tamper-proof logs, the SSA cannot reliably trace the origins of a cyber intrusion, assess its scope, or take effective remedial action.

This gap is particularly alarming given SSA’s stewardship of high-value personal data such as Social Security Numbers, financial records, and healthcare eligibility information. A breach at SSA would not only compromise the privacy of tens of millions of Americans, but it could also have cascading effects across federal and state benefit systems.

These vulnerabilities have been further compounded by the Department of Government Efficiency’s (DOGE) penetration into SSA’s operational and IT infrastructure. Under the Trump administration, DOGE assumed expanded oversight powers across multiple agencies, including SSA, leading to the displacement of experienced technical personnel and the consolidation of system controls under appointees lacking cybersecurity expertise.

The resulting degradation in institutional knowledge and cybersecurity governance has left SSA even less equipped to manage complex system requirements and enforcement of protections for personally identifiable information, which is particularly vulnerable in such environments.

Improper access controls, inadequate encryption, and outdated system architecture, all worsened by DOGE’s bureaucratic interference, raises the risk that sensitive data could be exposed, stolen, or misused. This is especially dangerous given SSA’s role as a central hub in verifying and storing identity information across government programs.

SSA is not alone though. As of December 2023, 20 federal agencies had missed the government-wide deadline for implementing advanced event logging. Budgetary limitations, legacy systems, and staffing constraints were frequently cited as reasons. But GAO stressed that SSA’s delay is more than logistical; it reflects a failure to prioritize cybersecurity modernization despite repeated oversight and urgent warnings.

The implications of inadequate event logging are multifold. First, they violate compliance standards set forth in the Federal Information Security Modernization Act, opening SSA to federal audit risk. Second, they reduce the federal government’s overall cyber resilience at a time when nation-state actors and criminal networks increasingly exploit unmonitored systems. And third, they erode public trust, particularly as Americans grow more aware of digital privacy risks and the federal government’s responsibility to safeguard their data.

Compounding these vulnerabilities are the inherent risks in event logging itself when not properly managed. Logging systems, if poorly configured, can inadvertently capture sensitive personal data, including credentials and identifiers. These logs become lucrative targets for adversaries if they are not encrypted, access-controlled, and regularly sanitized.

Improper retention policies, failure to rotate logs, and overcollection of irrelevant data also can increase the risk surface, making it more difficult for analysts to distinguish real threats from noise.

GAO has advised agencies like SSA to follow best practices to mitigate these risks. This includes minimizing the logging of sensitive fields, applying strict role-based access controls, and ensuring logs are monitored in real time to detect anomalies.

Beyond logging, SSA’s challenges extend to broader IT governance. GAO reiterated long-standing concerns about the agency’s software license tracking, telecommunications asset inventory, and the use of cloud service level agreements. These IT management deficiencies compound SSA’s exposure to financial waste and operational disruption.

One priority recommendation calls on SSA to reconcile software in-use with software purchased. The agency has yet to develop and implement consistent tracking mechanisms, leading to missed cost-saving opportunities and limited visibility into its software environment.

Similarly, SSA’s incomplete inventory of telecommunications assets continues to hinder contract transitions and system modernization. Without a reliable inventory, SSA risks incurring unnecessary expenses and failing to meet performance requirements.

GAO also criticized SSA for not aligning cloud computing contracts with OMB guidance. Specifically, it has not enforced service-level agreements with vendors that include performance metrics, compliance obligations, and remediation plans.

Equally concerning is SSA’s sluggish rollout of fraud prevention initiatives. The Electronic Verification Service (EVS), designed to combat synthetic identity fraud by verifying user credentials, remains underutilized.

GAO noted that SSA has failed to recoup the significant investment made in developing this service, which remains off-track in serving financial institutions and other stakeholders. As synthetic identity fraud surges across sectors, SSA’s inability to operationalize EVS limits a critical line of defense against identity theft and fraud.

These technical and operational failures are not just administrative oversights; they represent strategic gaps that endanger the integrity of SSA’s mission. With aging infrastructure and increasing digital demands, the agency faces growing pressure to secure its systems while maintaining seamless benefit delivery.

In its 2025 priority recommendations report, GAO observed that only one of four key directives had been fully implemented by SSA since 2024. This slow pace of progress is particularly troubling given that the SSA is entrusted with nearly $1.4 trillion in annual benefit payments and is a linchpin in the federal social safety net.

Any operational disruption or data breach at SSA could have disproportionate consequences for millions of Americans relying on retirement, disability, and survivors’ benefits.

The GAO’s findings should serve as a warning. Agencies like SSA must not only adopt mandated cybersecurity protocols but also integrate them into a cohesive, accountable IT governance framework. Failure to do so risks systemic vulnerabilities that can no longer be dismissed as bureaucratic inertia.

Article Topics

cybersecurity  |  data privacy  |  data protection  |  DOGE  |  GAO (Government Accountability Office)  |  social security  |  Social Security Administration (SSA)  |  U.S. Government