How DOGE’s data may have violated federal law: a NPR report on Berulis’ discovery of sensitive data from the National Labor Relations Board
The top Democrat on the House Oversight Committee is calling for an investigation after exclusive NPR reporting that sensitive data was taken from the National Labor Relations Board.
The Ranking Member sent a letter to the IG at the Department of Labor and the inspector general at the NLRB expressing concern that DOGE may be involved in technological malfeasance and illegal activity.
The first week of March, engineers associated with DOGE arrived at the NLRB’s headquarters, according to Berulis’ disclosure. Beforehand, they had asked about what software, hardware, programming languages and applications the NLRB was using. DOGE used commercially available cloud infrastructure that businesses use and can be accessed remotely, because it connects to government cloud systems at other agencies.
“I can’t attest to what their end goal was or what they’re doing with the data,” the whistleblower, Daniel Berulis, said in an interview with NPR. The parts of the puzzle that I can quantify are frightening. The picture we are looking at is very bad.
Labor law experts were concerned about the conflicts of interest when it came to Musk and his companies and his network of former employees and allies who are now getting access to government jobs.
Berulis was able to track the sensitive data that was left inside the NxGen case management system. Then, he saw a large spike in outbound traffic leaving the network itself. He explained that the spike is very unusual because data is almost never directly left from the NLRB’s databases.
The letter asks the inspectors general to answer a number of questions regarding ways DOGE may have potentially violated federal law, including any NLRB networks DOGE staffers had access to and what records of DOGE’s work within NLRB systems exist.
One of the dog accounts was created and subsequently deleted for use in the NLRB’s cloud systems, hosted by Microsoft.
In the case of the Treasury Department payment systems, the judge said it was possible sensitive information had already been shared outside of the department.
A Techniologist’s Tale of the DOGE Secretariat: On the First Days of Trump’s New Department of Government Efficiency
In the first days of March, a team of advisers from President Trump’s new Department of Government Efficiency initiative arrived at the Southeast Washington, D.C., headquarters of the National Labor Relations Board.
The small, independent federal agency investigates and adjudicates complaints about unfair labor practices. It stores reams of potentially sensitive data, from confidential information about employees who want to form unions to proprietary business information.
The DOGE team tried to cover their tracks behind them by asking not to be seen in the system and turning off monitoring tools, which they did manually, according to several cybersecurity experts interviewed.
It’s a familiar story for tech nerds the world over: He methodically took the machine apart “to figure out how it works,” just like he had dissected radios from the thrift store years earlier. He said that he cut himself off once.
A knee injury prevented him from joining the military. When he was a volunteer firefighter, he answered calls from victims of rape who needed someone to listen. But, he told NPR that he was interested in serving his country.
Berulis had been a technical consultant for many years, including in auditing and modernizing corporate systems, when a job opened up at the National Labor Relations Board.
While he didn’t know much about the agency, Berulis quickly found its mission to protect employees’ rights in line with his long-standing desire “to help people.”
He started about six months before Trump was inaugurated for a second term. Berulis said he hit the ground running, securing the NLRB’s cloud-based data servers and reinforcing what’s called “zero trust” principles, which means that users can get access only to the parts of the system they need in order to do their jobs — no more, no less. That way, if an attacker gets hold of a single username and password, the attacker can’t access the whole system.
It was a dream come true when he first started. There was a chance to do some good. But after the inauguration, he described a “culture of fear” descending over the agency.
Source: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data
Forensic Digital Records: Identifying and Mitigating Attacks on a Neighborhood-Building Security Project in the U.S.
Berulis said he and several colleagues saw a black SUV and police escort enter the garage, after which building security let the DOGE staffers in. They interacted with a small number of staffers, never introducing themselves to most of the IT team.
According to Berulis’ disclosures, he was told that the highest level of access the employees of DOGE could get was “tenant owner level” accounts inside the independent agency’s computer system and unrestricted access to read, copy and alter data.
It’s a sin to fail to log activity, it’s a crime, and it’s against the best practices of the National Institute of Standards and Technology and the Department of Homeland Security’s Cybersecurity and Infrastructure Security Agency.
Those forensic digital records are important for record-keeping requirements and they allow for troubleshooting, but they also allow experts to investigate potential breaches, sometimes even tracing the attacker’s path back to the vulnerability that let them inside a network. The records can also help experts see what data might have been removed. Basic logs would likely not be enough to demonstrate the extent of a bad actor’s activities, but it would be a start. Cyber security experts say there is no reason for anyone to turn off logging or any other security tools.
“If he didn’t know the backstory, any [chief information security officer] worth his salt would look at network activity like this and assume it’s a nation-state attack from China or Russia,” said Jake Braun, a former White House cyber official.
Massachusetts Institute of Technology graduate and DOGE engineer Jordan Wick had been sharing information about coding projects he was working on to his public account with GitHub, a website that allows developers to create, store and collaborate on code.
After journalist Roger Sollenberger posted about his account on X, Berulis noticed a project called “NxGenBdoorExtract.”
Detecting Insider Threats at the NLRB: The NxGen Case Management System’s “Container” and the FBI’s Office of Investigation
“So when I saw this tool, I immediately panicked, just for lack of a better term,” he said. I kind of had a revelation and said whoa, whoa. He immediately alerted his whole team.
“It’s odd to call it that, even though it’s important to us that we don’t jeopardize our ability to work with the government again,” said one of the engineers who built NxGen. “Or brazen, if you’re not worried about consequences.”
According to many engineers who created NxGen, the internal system was designed to be used by the NLRB in-house and is not intended for use in other government agencies.
When it comes to detecting Insider threats the National Labor Relations Board isn’t advanced enough. He said that the agency has not evolved to account for those. “We were looking for actors who were bad,” he said.
But he counted on DOGE leaving at least a few traces of its activity behind, puzzle pieces he could assemble to try to put together a picture of what happened — details he included in his official disclosure.
Then, DOGE engineers installed what’s called a “container,” a kind of opaque virtual computer that can run programs on a machine without revealing its activities to the rest of the network. On its own, that wouldn’t be suspicious, though it did allow the engineers to work invisibly and left no trace of its activities once it was removed.
Then, Berulis started tracking sensitive data leaving the places it’s meant to live, according to his official disclosure. First, he saw a chunk of data exiting the NxGen case management system’s “nucleus,” inside the NLRB system, Berulis explained. Then, he saw a large spike in outbound traffic leaving the network itself.
Berulis explained that data from the NLRB’s databases is almost always not used in a spike like that. There was only a small spike in data going out after Berulis revealed a data entering and exiting system. He said that there had been no backups or data migrations at the NLRB that week.
Labor law experts who worked at the National Labor Relations Board and the Inspector General told NPR that it’s only possible to view files relevant to a case if you are granted guest accounts on the system.
What happened to Berulis’s DOGE computer while DOGE was logging on, and how to report it to the CISA Detector
In the days after Berulis, his colleagues and I prepared a request for CISA’s help looking into the issue, Berulis found a letter in an envelope taped to his door with threatening language, personal information, and overhead pictures of him walking his dog, according to the cover letter The letter references his decision to report the breach, though it isn’t certain if it was sent by him or someone else. Law enforcement is investigating the letter.
If the underlying disclosure wasn’t concerning enough, the targeted physical intimidation and stalking of my client is. If it is happening to Mr. Berulis, this will likely happen to others and bring the nation more in line with dictatorships than with open and free democracies, wrote his lawyer in a statement to NPR. It is time for everyone, including Congress, to acknowledge the facts and stop our democracy, freedom and liberties from falling away, something that will take generations to repair.
Berulis found some troubling details about what happened while DOGE was logged on, which he enumerated in his official declaration.
Unknown users also gave themselves a high-level access key, what’s called a SAS token, meaning “shared access signature,” to access storage accounts, before deleting it. There was no way to know what they did with it.
Berulis said he noticed five PowerShell downloads on the system, a task automation program that would allow engineers to run automated commands. There were several code libraries that got his attention — tools that he said appeared to be designed to automate and mask data exfiltration. There was an automation tool called “browserless” that was used by web developers and there was a tool to generate a seemingly endless number ofip addresses called “requests-ip-rotator” which was starred or favorited by the DOGE engineer.
Berulis says someone appeared to be doing something called DNS tunneling to prevent the data exfiltration from being detected. He came to that conclusion after he saw a huge spike in traffic on the domain name server as his data was being exfoliated, a spike 1000 times greater than normal requests.
When someone uses this kind of technique, they set up a domain name that pings the target system with questions or queries. But they configure the compromised server so that it answers those DNS queries by sending out packets of data, allowing the attacker to steal information that has been broken down into smaller chunks.
Source: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data
DOGE should not be audited for its own security, and if it’s a public company, what is the problem? An NPR interview with Berulis
“The difference is, they were given the keys to the front door,” the researcher continued. While the researcher clarified that it would be difficult to fully verify what happened without full access to the NLRB system, they said Berulis’ conclusions and accompanying evidence were a cause for concern. “None of this is standard,” they said.
Russ Handorf, who was employed as a cybersecurity professional with the FBI for a decade, spoke to NPR about his conclusions after he reviewed Berulis’ extensive technical forensic records.
“All of this is alarming,” he said. “If this was a publicly traded company, I would have to report this [breach] to the Securities and Exchange Commission. The timeline of events demonstrates a lack of respect for the institution and for the sensitivity of the data that was exfiltrated. There is no reason to increase the security risk profile by disabling security controls and exposing them, less guarded, to the internet. They didn’t exercise the more prudent standard practice of copying the data to encrypted and local media for escort.”
Experts interviewed by NPR acknowledge there are inefficiencies that need further review, but they don’t see a reason why DOGE staffers would need to remove data from the case management system to resolve those problems.
“There is no reason whatsoever for accessing the information. Is any agency more efficient? More effective? Positively. But what you need for that is people who understand what the agency does. That is not by mining data, putting algorithms in and creating a breach of security,” said Harley Shaiken, a professor emeritus at the University of California, Berkeley who specializes in labor and information technology.
The standard procedures that DOGE follows for doing an audit that has integrity and that’s meaningful are the ones that will actually produce results that serve the regular auditing function.
“The mismatch between what they’re doing and the established, professional way to do what they say they’re doing … that just kind of gives away the store, that they are not actually about finding more efficient ways for the government to operate,” Block said.
Source: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data
What the National Labor Relations Board (NLRB) might think about leaking trade secrets to unions and other investigative bodies: A study of Cornell Labor Relations Research Network
For labor law experts, the mere possibility that sensitive records were copied is a serious danger that could create a chilling effect for employees everywhere who turn to the National Labor Relations Board for protection.
“Just saying that they have access to the data is intimidating,” said Kate Bronfenbrenner, the director of labor education research at Cornell University and co-director of the Worker Empowerment Research Network. “People are going to go, ‘I’m not going to testify before the board because, you know, my employer might get access.'”
The child of immigrants who fled the Soviet Union and Nazi Germany, Bronfenbrenner spends a lot of time thinking about how system can fall down under certain circumstances. “You know, there’s this belief that we have these checks and balances … but anyone who’s part of the labor movement should know that’s not true,” she told NPR.
With access to the data, it would make it easier for companies to fire employees for union organizing and keep them off blacklists of organizers, which is illegal under federal labor laws. He said people get fired for trying to organize a union all the time.
The data could hurt other people if it got out. Companies also sometimes provide detailed statements on internal business planning and corporate structure in the midst of unfair-labor-practice complaint proceedings. If a company was attempting to fire someone who it alleged had disclosed trade secrets and was fighting an unfair-labor-practice complaint based around that decision, those trade secrets might come up in the NLRB’s investigation. That information would be valuable to competitors, regulators and others.
The University of California, Berkeley’s labor scholar Harley Shaiken said it was very concerning. He said that it could result in damage to individual workers, union-organizing campaigns and unions themselves.
DoGE Sensitivities to the NLRB in the Wake of Trump’s Con confirmation hearing: Musk, Trump, and xAI
Musk and Trump said in an interview that Musk wouldn’t be involved with anything related to his companies. “I haven’t asked the president for anything ever,” Musk said. I’m getting a daily proctology exam here. You know, it’s not like I’ll be getting away [with] something in the dead of night.” However, DOGE has been granted high-level access to a lot of data that could benefit Musk, and there has been no evidence of a firewall preventing misuse of that data.
Sen. Chris Murphy, D-Conn. raised his concerns about Musk accessing sensitive labor investigation data on cases against his companies or competitors during the confirmation hearing for Trump’s labor secretary, Lori Chavez-DeRemer, in mid-February. He pressed her to answer whether she believed the NLRB is constitutional and to commit to keeping sensitive data confidential. While she said she was committed to “privacy” and said she respects the NLRB’s “authority,” she insisted that Trump “has the executive power to exercise it as he sees fit.”
“As an agency protecting employee rights, the NLRB respects its employee’s right to bring whistleblower claims to Congress and the Office of Special Counsel, and the Agency looks forward to working with those entities to resolve the complaints,” said Bearese, the agency’s acting spokesperson, in a statement.
In addition to sending DOGE to the NLRB, the Trump administration tried to neutralize the board’s power to enforce labor law by removing its member Gwynne Wilcox. Courts have gone back and forth on whether Wilcox’s removal was illegal, as presidents are meant to demonstrate cause for dismissal of independent board members.
“It’s not like he’s a random person who’s getting information that a random person should have access to,” said Harvard Law’s Block. She said if they got everything, then he has information about cases the government is building against him.
“DOGE is, whether they admit it or not, headed by somebody who is the subject of active investigation and prosecution of cases. It is incredibly troubling,” she said.
Musk’s company xAI could also benefit from sucking up all the data DOGE has collected to train its algorithms. Bruce Schneier, a professor at Harvard Kennedy School, and other experts point to this concern in interviews and written pieces.
According to two federal government sources who were not authorized to speak publicly about their workplaces and who shared email documentation with NPR, managers have consistently been warning employees that their data could be subject to AI review, particularly their email responses to the Musk-led campaign to get federal employees to detail “what they did last week” in five bullet points every Monday.
It is not a flight of imagination for several DOGE staffers to release some of that data to Musk and people close to him.
Handorf explained that both criminals and foreign adversaries use information like this to enrich themselves through a variety of actions. “That includes targeting intellectual property theft for espionage or even harming a company to enrich another.”
The experts interviewed by NPR said that a few failed login attempts from a Russian address aren’t a smoking gun. But given the overall picture of activity, it’s a concerning sign that foreign adversaries may already be searching for ways into government systems that DOGE engineers may have left exposed.
“When you move fast and break stuff, the opportunity to ride the coattails of authorized access is ridiculously easy to achieve,” said Handorf. He said that it would be very hard for spies or criminals to break in and steal data if access points to the network were left open.
“This is exactly why we use the principle of least privilege in the architectures of our systems,” said Ann Lewis in an interview with NPR. “The principle of least privilege is a fundamental cybersecurity concept … that states that users should have only the minimum rights, roles and permissions required to perform their roles and responsibilities. This protects access to high-value data and critical assets and helps prevent unauthorized access, accidental damage from user errors and malicious actions. “
Source: A whistleblower’s disclosure details how DOGE may have taken sensitive labor data
DOGE is not a Cyber Security Consultant, but a Federal Consultant and a Public Official who’s been Tortured by the NLRB
The Cybersecurity and Infrastructure Security Agency has been forced into relocation and put on administrative leave after a number of resignations and firings by the federal government. That has limited their power to respond to the ongoing disruptions or keep track of what DOGE is doing.
When she heard about how DOGE engineers operated at the NLRB, particularly the steps they took to obfuscate their activities, she recognized a pattern.
“I am trembling,” she said upon hearing about the potential exposure of data from the NLRB. Every report and piece of evidence can be obtained by them. This isn’t good.
The employee who requested anonymity said that the cyber teams at the Interior Department were angry because they have to sit on their hands while the alarm systems go off. Cybersecurity teams wanted to shut off new users’ access to the system, the employee continued, but were ordered to stand down.
Meanwhile, in a letter published on March 13 on Federal News Network, 46 former senior officials from the General Services Administration, one of the government agencies hardest hit by DOGE’s cost-cutting efforts and that oversees nearly all federal buildings and purchasing, wrote that they believed “highly-sensitive IT systems are being put at risk and sensitive information is being downloaded to unknown, unvetted external sources in clear violation of privacy and data-protection rules.”
“The entire reason we have a Privacy Act is that Congress realized 50 years ago that the federal government was just overflowing with information about normal everyday people and needed some guardrails in place,” McClanahan told NPR. “The information silos are there for a reason,” he continued. The people who were screaming about the government tracking them a few years ago are now cheering for the data they get into Musk’s Skynet.
For Berulis, it was important to speak out, because he believes people deserve to know how the government’s data and computer systems are at risk, and to prevent further damage. Berulis is a former IT consultant who would have been fired if he had operated like the DOGE.
He said that he believed this goes far beyond just case data. “I know there are [people] at other agencies who have seen similar behavior. I firmly believe that this is happening maybe even to a greater extent at other agencies.”
He said he wanted to let Congress know that they don’t necessarily have things they look for, and that they could look at things differently if they did not know where to look.
Do I really need to know what I’ve read? The DOGE engineers tell me about their investigation of the DOGE breach of security and that’s all I know
“Be transparent,” Berulis asked the DOGE engineers. If you have nothing to hide, don’t delete logs, don’t be covert. … It’s important that you are open, because efficiency is all about that. If this is all a huge misunderstanding, then just prove it. Put it out there. That’s all I’m asking.”
“This could just be the start of the operation. … He said that they haven’t crossed that boundary where they’re plugged into every federal system. Maybe there is more time left.
According to the disclosure, the person had disabled controls that would prevent mobile devices without the proper security settings from logging on to the system. The public internet was exposing an interface which could have allowed attacks on their systems. Internal alerting and monitoring systems were found to be manually turned off. Multifactor authentication was disabled.
Having a list of key organizers and potential members of a union would make that easier, as would having a copy of the opposing counsel’s notes as companies prepare for legal challenges, she continued.
