11
Software Engineer Accused of Storing Sensitive SSA Data on Thumb Drive, Denies All Wrongdoing
John Solly, a software engineer and former operative within the controversial Department of Government Efficiency (DOGE), stands accused in a whistleblower complaint of storing highly sensitive Social Security Administration (SSA) data on a thumb drive. Multiple sources have confirmed to WIRED that Solly allegedly expressed intentions to share this information with his current employer, Leidos, a major government contractor with extensive ties to the SSA.
The allegations surface amid a backdrop of prior controversies surrounding DOGE’s activities at the SSA and raise serious concerns about the security of vast repositories of personal information held by federal agencies. Solly, who transitioned from DOGE to become the chief technology officer for the health IT division of Leidos in October, has vehemently denied any wrongdoing through his legal counsel. Leidos, for its part, also stated that an internal investigation found no evidence to support the whistleblower’s claims.
The sensitive data at the heart of the complaint includes records from the SSA’s Numerical Identification System (NUMIDENT) and the Death Master File (DMF). NUMIDENT is a master database containing comprehensive personally identifiable information (PII) such as full names, birth dates, racial identifiers, and other critical details for every individual with a Social Security number. The Death Master File, conversely, holds millions of records of deceased individuals, crucial for preventing identity fraud and misuse of Social Security numbers. The potential compromise of such databases could have far-reaching implications for national security and individual privacy.
According to a copy of his résumé, Solly, while at SSA, was one of 12 DOGE team members involved in initiatives such as "Digital SSN," "Death Master File cleanup," and the "SSN verification API (EDEN 2.0)." His work on these projects would have granted him access to the very databases he is now accused of illicitly retaining. Leidos, his current employer, has a significant financial relationship with the SSA, having secured millions in past contracts and standing to gain up to $1.5 billion from a five-year deal signed in 2023. Solly’s personal website and LinkedIn profiles were taken offline shortly after these allegations gained traction this week, a move often observed when individuals face intense public scrutiny.
The initial revelation of this serious allegation came from a complaint filed with the SSA’s internal watchdog, the Office of the Inspector General (OIG), which was first reported earlier this week by The Washington Post. While The Post did not name Solly or Leidos in its initial reporting, it detailed the whistleblower’s claims that a former DOGE employee had openly discussed taking copies of both the NUMIDENT and the Death Master File. The complaint further alleged that the former employee sought assistance in transferring a set of data from a thumb drive to a personal computer, ostensibly to "sanitize" it before uploading it for use at a private-sector company. Disturbingly, the whistleblower also claimed that the individual expressed an expectation of receiving a presidential pardon should his actions be deemed unlawful.
In a robust defense, Solly’s legal counsel, Seth Waxman, issued a statement denying all accusations. "Mr. Solly did not share, access, or view any personally identifiable information (PII) maintained by SSA, including SSA’s Death Master File (DMF) and Numerical Identification System (Numident)," Waxman stated. He categorized the allegations from the anonymous source as "patently false and slanderous," vowing that Solly would "take all appropriate steps to clear his good name and stellar reputation," and expressed certainty that "any fair review of the facts and circumstances surrounding these spurious allegations will fully exonerate him."
Leidos spokesperson Todd Blecher echoed this denial, providing details of the company’s own investigation. "We completed an internal investigation, including employee interviews, and found no substantiation of the assertions against Mr. Solly," Blecher told WIRED. He further added that the investigation involved "advanced digital forensics that found no evidence that the Social Security Administration data described in a whistleblower complaint is, or ever has been, on Leidos networks." Blecher also confirmed that Leidos determined Solly "never plugged a thumb drive or any other storage device into his company-issued laptop," and emphasized that "there is no overlap in his current work statement at Leidos with the work he performed at SSA." Leidos stated it is fully cooperating with the Social Security Administration on this matter.
An SSA spokesperson, commenting on the situation, expressed similar skepticism about the allegations. "The allegations by a singular anonymous source have been strongly refuted by all named parties—SSA, the former employee, and the company," the spokesperson told WIRED, asserting that "Even The Washington Post admitted they could not verify the information—because it is not true. SSA is focused on continuing our digital-first transformation to deliver better, faster service for every American."
This recent whistleblower complaint is not the first instance of controversy surrounding DOGE’s presence at the SSA. Last August, Chuck Borges, then SSA’s chief data officer, filed a separate, significant complaint with the US Office of Special Counsel. Borges accused DOGE of wrongfully uploading sensitive SSA data, including highly sensitive information on millions of Social Security numbers, to an unsecured cloud server. In his complaint, Borges specifically named John Solly as a DOGE member who requested the agency move live NUMIDENT data into a cloud environment that lacked "independent security controls," thereby risking potential hacking or leakage.
Borges’s complaint also implicated other DOGE members, including Edward Coristine, Aram Moghaddassi, and Michael Russo, in discussions regarding the movement of NUMIDENT data. Coristine, notably, had a background working for a startup that hired "reformed convicted hackers" before joining DOGE at the age of 19. These individuals did not immediately respond to requests for comment. Days after filing his complaint, Borges resigned from his SSA role, citing agency actions that made his duties "impossible to perform legally and ethically."
DOGE’s tenure at SSA was marked by other contentious incidents. In one notable case in April 2025, the DOGE team was accused of moving the Social Security numbers of thousands of immigrants into the Death Master File. This action was reportedly intended to effectively shut off their ability to live and work in the United States, raising serious human rights and administrative concerns. The "DOGE blitz" into the US government in early 2025 also led to many government contractors, including Leidos, experiencing significant contract cuts. Leidos, for instance, saw some of its contracts terminated, though it later secured larger deals with the SSA.
When Solly initially joined the SSA last year, he was reportedly tasked with consolidating the agency’s IT ticketing system, according to two SSA sources familiar with his work. However, by June of the same year, he appeared to have shifted to a new project involving NUMIDENT data, as detailed in the Borges complaint. His résumé also outlined work on "EDEN 2.0," an SSN verification API.
Leland Dudek, former acting SSA commissioner, explained that EDEN, or the Enterprise Data Exchange Network, was originally designed to help financial institutions verify customer identities by pulling data from NUMIDENT. Solly would have required access to NUMIDENT to work on EDEN. Dudek noted that while traditional data sharing typically occurred over a mainframe, which he deemed "not a great way to share data," EDEN offered a more modern approach.
The precise objectives of the EDEN 2.0 project remain somewhat unclear, but a source familiar with the work suggests it was intended as an API system to provide real-time Social Security number verification to other government agencies. Dudek further clarified that the first version of EDEN was developed concurrently with another SSA fraud detection tool, the electronic Consent Based Social Security Number Verification (eCBSV). This system enables financial institutions to cross-reference their records with SSA data to confirm identities, for example, during bank account openings. EDEN, while not a direct component of eCBSV, was "instrumental" in facilitating the safe sharing of this data with external institutions via an API, bypassing the need for mainframe access.
Dudek described EDEN as the "underlying piece that made that work, because you’re making agreements with different commercial entities, and you’re exposing it through an API." While he maintained that EDEN was not explicitly designed for inter-agency data sharing, he conceded that "it could be" used for that purpose, describing it as a "logical extension." Interestingly, Dudek stated that the DOGE team never directly informed him they were working on EDEN, indicating their primary focus seemed to be on "trying to find the fraud in the NUMIDENT file."
Crucially, it appears EDEN is already being utilized for inter-agency data sharing. On February 25, William Kirk, Inspector General of the Small Business Administration (SBA), testified before the Senate Committee on Small Business and Entrepreneurship regarding efforts to combat fraud, particularly in Covid-19 pandemic relief loans. In his written statement, Kirk confirmed that the "SBA also has stated that it has expanded data-sharing agreements across federal databases," explicitly including "the Social Security Administration’s Enterprise Data Exchange Network." This confirmation from a high-ranking government official underscores the critical nature of the EDEN system and the potential impact of any unauthorized access or transfer of the underlying SSA data.
The ongoing investigation into John Solly and the broader context of DOGE’s contentious activities at the SSA highlight the persistent challenges in safeguarding vast amounts of sensitive government data and ensuring ethical conduct among federal employees and contractors. Despite strong denials from Solly, Leidos, and the SSA, the gravity of the allegations, particularly concerning the potential exfiltration of PII and the prior controversies involving DOGE, demands thorough scrutiny and transparency.
