Key Takeaways
- Two DOGE associates accessed Treasury’s Bureau of the Fiscal Service (BFS) payment systems from Jan. 20 to April 11, 2025, raising concerns about data security.
- One representative could view, copy, print, and—due to a misconfiguration—temporarily create, modify, or delete data on a BFS system, though no actual alterations were found.
- The DOGE team mishandled personally identifiable information (PII) by sending an unencrypted Excel file containing data on 350 individuals for USAID payments to another agency and then to a colleague’s BFS email and to two GSA staffers, violating Treasury encryption requirements.
- BFS officials deemed the disclosure “low risk” because the file lacked more sensitive identifiers, but they could not provide documentation showing Privacy Office concurrence.
- BFS failed to fully implement selected cybersecurity controls on its payment systems and did not ensure departing DOGE staff acknowledged post‑employment data‑protection obligations, allowing one worker to leave with an interim security clearance that retained access to sensitive payment data.
- The Government Accountability Office (GAO) issued six recommendations to BFS to strengthen cyber controls, address security gaps, and formalize exit procedures; BFS agreed with three recommendations and did not state its position on the remaining three.
- Until Treasury and BFS establish robust oversight for users with broad payment‑system access, federal payment information remains at heightened risk of improper access, modification, disclosure, or misuse.
Overview of the GAO Investigation
The Government Accountability Office (GAO) conducted an “ongoing work” review to examine the access that two DOGE associates had to the Bureau of the Fiscal Service (BFS) payment systems during the early months of the second Trump administration. The audit focused on determining what the DOGE personnel intended to do with BFS systems and whether they adhered to Treasury’s data‑security protocols. Because DOGE’s access to these systems has already sparked litigation, the GAO’s findings are particularly relevant for understanding potential vulnerabilities in federal financial infrastructure.
Scope of DOGE Access to BFS Systems
During the period from January 20 through April 11, 2025, one DOGE representative obtained access to three distinct BFS systems. These systems are responsible for disbursing federal income‑tax refunds, benefits, salaries, and a wide array of other government payments. Notably, foreign‑aid payments were a focal point of the DOGE team’s activities within BFS. The level of access granted allowed the employee to view, copy, and print data residing in these systems.
Inadvertent Privilege Escalation
Beyond read‑only privileges, the GAO discovered that the same DOGE staffer was inadvertently granted temporary authority to create, modify, and delete data on one of the BFS systems. This privilege arose from a configuration oversight rather than a deliberate grant of rights. The watchdog emphasized that, despite the elevated permissions, there was no evidence that any data was actually altered, deleted, or otherwise tampered with during the review window.
Mishandling of Personally Identifiable Information
The report details a series of actions that violated Treasury’s IT‑security rules governing the handling of personally identifiable information (PII). The DOGE representative transmitted an unencrypted Excel file containing PII for 350 individuals earmarked for USAID payments to another federal agency. Subsequently, the same file was forwarded using the staffer’s Treasury email address to the other DOGE associate’s BFS email and then to two DOGE members at the General Services Administration (GSA). Each transmission occurred without the required encryption safeguards.
BFS’s Risk Assessment and Documentation Gaps
BFS officials characterized the disclosure of the PII as “low risk,” arguing that the Excel file omitted more sensitive identifiers such as Social Security numbers, addresses, or dates of birth. However, the GAO noted that BFS could not produce documentation demonstrating that the Privacy Office had formally concurred with this risk assessment. The absence of such records undermines confidence in the agency’s internal review process and highlights a lapse in accountability.
Shortcomings in BFS Cybersecurity Controls
The GAO also criticized the Bureau of the Fiscal Service for not fully implementing a set of selected cybersecurity controls on its payment systems. These controls are designed to protect sensitive financial data from unauthorized access, alteration, or exfiltration. By leaving certain controls unaddressed, BFS left gaps that could be exploited by individuals with broad system access, such as the DOGE associates examined in the audit.
Deficiencies in Off‑boarding Procedures
A further security weakness identified by the GAO pertains to the off‑boarding process for departing personnel. One DOGE staffer left the agency without having been informed of, or having agreed to, post‑employment data‑protection requirements. Consequently, the individual retained an interim security clearance that continued to grant access to multiple BFS systems housing sensitive federal payment information. The GAO warned that without a formal exit‑interview process and signed post‑employment documentation, the agency cannot be assured that former employees will appropriately safeguard the data they once accessed.
GAO Recommendations and BFS Response
To address the identified vulnerabilities, the GAO issued six recommendations to the Bureau of the Fiscal Service. The recommendations urged BFS to finalize and enforce cybersecurity controls, improve oversight of users with broad payment‑system access, establish a standardized exit‑interview and post‑employment documentation process, and ensure proper handling and encryption of PII. BFS indicated agreement with three of the six recommendations but did not state whether it concurred with the remaining three, leaving some uncertainty about the agency’s planned corrective actions.
Conclusion and Ongoing Risk
The GAO concluded that until Treasury and BFS fully establish and implement robust controls for monitoring and managing users who possess extensive access to payment systems, federal payment information will remain at an elevated risk of improper access, modification, disclosure, or misuse. The watchdog stressed that both technical safeguards—such as encryption and access‑control configurations—and procedural safeguards—like thorough off‑boarding and clear data‑handling policies—are essential to protect the integrity and confidentiality of the nation’s financial data. Continued vigilance and adherence to the GAO’s recommendations will be critical to mitigating future security lapses.