When a team of advisers from President Trump's Department of Government Efficiency initiative arrived at the headquarters of the National Labor Relations Board, IT employees at the small, independent agency quickly became worried, according to a whistleblower declaration filed with Congress and shared with NPR.
The NLRB investigates and adjudicates complaints about unfair labor practices. Its databases store reams of potentially sensitive data, from confidential information about employees who want to form unions to proprietary business information.
The DOGE employees, who are effectively led by White House adviser and billionaire tech CEO Elon Musk, appeared to set their sights on accessing the NLRB's internal systems, removing sensitive data and covering their tracks.
"I can't attest to what their end goal was or what they're doing with the data," said the whistleblower, Daniel Berulis, in an interview with NPR. "But I can tell you that the bits of the puzzle that I can quantify are scary. ... This is a very bad picture we're looking at."
Tim Bearese, the NLRB's acting press secretary, denied that the agency granted DOGE access to its systems and said DOGE had not requested access to the agency's systems. Bearese said the agency conducted an investigation after Berulis raised his concerns but "determined that no breach of agency systems occurred."
Notwithstanding the NLRB's denial, the whistleblower's disclosure to Congress and other federal overseers provides evidence of DOGE's access and activities. NPR's reporting across the federal government also makes it clear that DOGE's access to data is a widespread concern.
A representative of DOGE did not respond to NPR's requests for comment.
Here are five takeaways from NPR's reporting:
DOGE appeared to ignore standard security practices
Berulis says he was told by colleagues that DOGE employees demanded the highest level of access, what are called "tenant owner level" accounts inside the independent agency's computer systems. Those offer essentially unrestricted permission to read, copy and alter data, according to Berulis' disclosure to Congress.
When an IT staffer suggested a streamlined process to activate those accounts in a way that would let their activities be tracked, in accordance with NLRB security policies, the IT staffers were told to stay out of DOGE's way, the disclosure continues.
For cybersecurity professionals, a failure to log activity is a cardinal sin and contradicts best practices.
"That was a huge red flag," said Berulis. "That's something that you just don't do. It violates every core concept of security and best practice."
According to the disclosure, someone had disabled controls that would prevent insecure or unauthorized mobile devices from logging on to the system without the proper security settings. There was an interface exposed to the public internet, potentially allowing malicious actors access to their systems. Internal alerting and monitoring systems were found to be manually turned off. Multifactor authentication was disabled.
Berulis tracked sensitive data leaving the agency's NxGen case management system "nucleus," inside the NLRB system. Then, he saw a large spike in outbound traffic leaving the network itself. That kind of spike is extremely unusual, he explained in the disclosure, because data almost never directly leaves from the NLRB's databases.
"If he didn't know the backstory, any [chief information security officer] worth his salt would look at network activity like this and assume it's a nation-state attack from China or Russia," said Jake Braun, a former White House cyber official.
In fact, in the minutes after DOGE accessed the NLRB's systems, someone with an IP address in Russia started trying to log in, according to Berulis' disclosure. Those attempts were blocked, but they were especially alarming. Whoever was attempting to log in was using one of the newly created DOGE accounts — and the person had the correct username and password, according to Berulis.
The NLRB's data is extremely sensitive and has little to do with DOGE's cost-cutting mission
DOGE's intentions with regard to the NLRB data remain unclear. Many of the systems DOGE embedded itself in across the rest of the government have payment or employment data — information that DOGE could use to evaluate which grants and programs to halt and whom to fire.
But the NxGen case management system is very different.
It houses information about ongoing, contested labor cases, lists of union activists, internal case notes, personal information from Social Security numbers to home addresses, proprietary corporate data and more information that never gets published openly. Access to that data is protected by numerous federal laws, including the Privacy Act.
"There is nothing that I can see about what DOGE is doing that follows any of the standard procedures for how you do an audit that has integrity and that's meaningful and will actually produce results that serve the normal auditing function, which is to look for fraud, waste and abuse," said Sharon Block, the executive director of Harvard Law School's Center for Labor and a Just Economy and a former NLRB board member.
Elon Musk's businesses are the subject of NLRB investigations
There are multiple ongoing cases involving the NLRB and companies controlled by Musk. After a group of former SpaceX employees lodged a complaint with the NLRB, lawyers representing SpaceX, some of whom were recently hired into government jobs, filed suit against the NLRB. They argued that the agency's structure is unconstitutional.
Trump and Musk, during an interview with Fox News's Sean Hannity, said Musk would recuse himself from anything involving his companies. "I haven't asked the president for anything ever," Musk said. "I'm getting a sort of a daily proctology exam here. You know, it's not like I'll be getting away [with] something in the dead of night." However, DOGE has been granted high-level access to a lot of data that could benefit Musk, and there has been no evidence of a firewall preventing misuse of that data.
"It's not that he's a random person who's getting information that a random person shouldn't have access to," said Harvard Law's Block. "But if they really did get everything, then he has information about the cases the government is building against him," she said.
"DOGE is, whether they admit it or not, headed by somebody who is the subject of active investigation and prosecution of cases. It is incredibly troubling," she said.
DOGE has a pattern of seeking sensitive data and not protecting it
In over a dozen lawsuits in federal courts around the United States, judges have demanded that DOGE explain why it needs such expansive access to sensitive data on Americans, from Social Security records to private medical records and tax information. But the Trump administration has been unable to give consistent and clear answers, largely dismissing cybersecurity and privacy concerns.
The Trump administration could be trying to codify DOGE's practices into how the government shares information, said Kel McClanahan, the executive director of nonprofit public interest law firm National Security Counselors, who is representing federal employees in a lawsuit concerning the Office of Personnel Management's use of a private email server.
Weeks after DOGE staffers descended on federal buildings across Washington, Trump issued an executive order urging increased data sharing "by eliminating information silos" in what's seen by experts like McClanahan as an attempt to give DOGE engineers further top cover in accessing and amalgamating sensitive federal data, despite laws concerning privacy and cybersecurity.
"The entire reason we have a Privacy Act is that Congress realized 50 years ago that the federal government was just overflowing with information about normal everyday people and needed some guardrails in place," McClanahan told NPR. "The information silos are there for a reason," he continued.
Labor experts fear the release of this data could hurt organized labor
Access to the NxGen data would make it easier for companies to fire employees for union organizing or keep blacklists of organizers — illegal activities under federal labor laws enforced by the NLRB. But "people get fired in this country all the time for the lawful act of trying to organize a union," said Block.
Having a list of key organizers and potential members of a union would make that easier, as would having a copy of the opposing counsel's notes as companies prepare for legal challenges, she continued.
It's not just employees who might suffer if this data got out. Companies also sometimes provide detailed statements on internal business planning and corporate structure in the midst of unfair-labor-practice complaint proceedings. If a company was attempting to fire someone who it alleged had disclosed trade secrets and was fighting an unfair-labor-practice complaint based around that decision, those trade secrets might come up in the NLRB's investigation. That information would be valuable to competitors, regulators and others.
Overall, the potential exposure of the NLRB's data could have serious implications.
"I think it is very concerning," said University of California, Berkeley, labor scholar Harley Shaiken. "It could result in damage to individual workers, to union-organizing campaigns and to unions themselves," he said.
NPR's Stephen Fowler contributed reporting. NPR's Brett Neely edited this story.
Have information or evidence to share about DOGE's access to data inside the federal government? Reach out to the author, Jenna McLaughlin, through encrypted communications on Signal at jennamclaughlin.54. Stephen Fowler is available on Signal at stphnfwlr.25. Please use a nonwork device.
300x250 Ad
300x250 Ad