In a recent development at the National Labor Relations Board (NLRB), a whistleblower has come forward with allegations that employees from Elon Musk’s Department of Government Efficiency (DOGE) were involved in downloading sensitive data from the agency’s case files. The whistleblower, identified as Daniel J. Berulis, a security architect at NLRB, filed a complaint stating that DOGE officials met with NLRB leaders in early March and demanded the creation of “tenant admin” accounts with unprecedented access privileges.
These new DOGE accounts were granted permissions to read, copy, alter, and manipulate information from NLRB databases, with the ability to restrict log visibility, delay retention, route logs elsewhere, or even delete them entirely. One of the DOGE accounts was found to have downloaded three external code libraries from GitHub that were not authorized or used by NLRB or its contractors. One of these code bundles was designed to rotate connections through a pool of cloud Internet addresses for web scraping and brute force attacks.
Further investigation revealed that a program with a similar functionality was published by Marko Elez, a 25-year-old DOGE employee who has worked across several of Musk’s companies. Elez was previously linked to controversial social media posts advocating racism and eugenics, which led to his resignation but subsequent rehiring after receiving support from President Donald Trump and Vice President JD Vance.
The code repository from Elez, named “async-ip-rotator,” was a fork of a project by GitHub user Ge0rg3 for bypassing IP-based rate limits. Elez’s involvement in gaining unauthorized access to NLRB data and downloading sensitive information has raised concerns about unfair advantages in ongoing labor disputes and potential misuse of the acquired data.
The whistleblower also disclosed that the other two GitHub archives downloaded by DOGE employees included software frameworks designed for reverse engineering application programming interfaces (APIs) and automating web-based tasks through headless browsers. A critique of Elez’s code on GitHub raised concerns about its security, scalability, and engineering flaws, particularly in handling sensitive data.
The unauthorized data transfer by DOGE employees poses a significant risk of compromising the integrity of NLRB’s case files and potentially influencing the outcomes of various labor disputes before the agency. The situation has highlighted the need for stricter controls and oversight to prevent unauthorized access to sensitive data and protect the confidentiality of information stored in government agencies.
Efforts to address the issue and hold the responsible parties accountable are underway, with ongoing investigations into the extent of the data breach and potential repercussions for those involved. Stakeholders are urged to remain vigilant and proactive in safeguarding sensitive information to maintain trust and integrity in organizational operations.
In conclusion, the breach of sensitive data at NLRB by DOGE employees underscores the importance of maintaining robust cybersecurity measures and enforcing strict access controls to prevent unauthorized data transfers and ensure data privacy and security. The repercussions of such breaches can have far-reaching consequences on organizational reputation, data integrity, and legal compliance, necessitating swift and decisive action to address and rectify the situation.