Former DOGE Engineer Accused of Stealing Sensitive Social Security Data for Private Contractor, All Parties Deny Claims
Multiple sources familiar with the matter have confirmed to WIRED that John Solly, a software engineer and former member of the U.S. Department of Government Efficiency (DOGE), is the operative named in a whistleblower complaint. The complaint alleges Solly told colleagues he stored sensitive Social Security Administration (SSA) data on a personal thumb drive, and intended to share the information with his new private-sector employer.
Per a copy of Solly’s professional resume, he has served as chief technology officer for the health IT division of major government contractor Leidos since October 2024. The firm already holds millions of dollars in active SSA contracts, and is positioned to earn up to $1.5 billion in SSA work through a five-year agreement signed in 2023. As of this week, both Solly’s personal website and public LinkedIn profile have been removed from public view.
When reached for comment, Solly denied all wrongdoing through his legal counsel. A Leidos spokesperson also confirmed the company has found no evidence to support the whistleblower’s claims against Solly.
Solly was one of 12 DOGE staffers embedded at the SSA. According to the resume he previously posted to his personal website, his work there included supporting fellow DOGE engineers on high-stakes initiatives: Digital SSN modernization, Death Master File data cleanup, and development of the SSN verification API (application programming interface) known as EDEN 2.0.
The Death Master File is a sensitive SSA database holding millions of Social Security records for deceased Americans, maintained specifically to prevent bad actors from stealing identities for fraud. APIs allow separate software systems to communicate and pull data from one another; in this context, an SSA API could grant outside agencies and private institutions direct access to Social Security data.
The allegations were first disclosed in a complaint filed with SSA’s internal watchdog, a story broken earlier this week by The Washington Post, which did not name Solly or Leidos in its initial reporting. The complaint, submitted to SSA’s Office of the Inspector General earlier this year, claims the former DOGE employee told coworkers he had obtained copies of the SSA’s Numerical Identification System (known as NUMIDENT) alongside the Death Master File. NUMIDENT is the agency’s master database holding every piece of information collected from Social Security number applications, including full legal names, dates of birth, racial classification, and a vast trove of other sensitive personally identifiable information.
Per the Post’s reporting on the complaint, the whistleblower claims the former DOGE staffer asked a colleague for help transferring the data from his personal thumb drive to a personal device, so he could “sanitize” the dataset before uploading it for use at his new private-sector role. The complaint also alleges Solly told coworkers he expected to receive a presidential pardon if his actions were ultimately found to violate the law.
“John Solly did not share, access, or view any personally identifiable information maintained by the SSA, including the Death Master File and NUMIDENT,” said Seth Waxman, Solly’s defense attorney. “The claims made by an anonymous source are blatantly false and slanderous. Mr. Solly will take every appropriate step to clear his good name and stellar professional reputation. He is fully confident that any fair review of the facts surrounding these baseless allegations will result in his full exoneration.”
Leidos is one of the SSA’s largest long-term contractors. Between 2010 and 2018, the firm earned hundreds of millions in SSA IT contracts. In 2018, it was awarded a contract that could be worth up to $639 million for IT support services and disability claims processing work. In 2023, the company announced it had secured an estimated $1.5 billion IT contract with the agency. When DOGE launched its rapid government-wide restructuring early 2025, Leidos, like many other established government contractors, saw the value of some of its existing SSA contracts cut.
Leidos spokesperson Todd Blecher told WIRED: “We completed an internal investigation, including employee interviews, and found no substantiation of the assertions against Mr. Solly. Our investigation used advanced digital forensics that found no evidence that the SSA data described in the whistleblower complaint is, or ever has been, present on Leidos networks. We also confirmed that Mr. Solly has never plugged a thumb drive or any other external storage device into his company-issued laptop. There is no overlap between his current work statement at Leidos and the work he performed for the SSA. We are fully cooperating with the Social Security Administration on this matter.”
An SSA spokesperson also provided comment to WIRED, saying: “The allegations from a single anonymous source have been strongly refuted by all named parties: the SSA, the former employee, and the contracting company. Even The Washington Post admitted it could not verify the information — because it is not true. The SSA remains focused on continuing our digital-first transformation to deliver better, faster service for every American.”
| Got a Tip? |
|---|
| Are you a current or former government employee who wants to talk about what's happening? We'd like to hear from you. Using a nonwork phone or computer, contact the reporters securely on Signal at
Vittoria89.82andmakenakelly.32. |This is not the first major controversy over DOGE’s handling of sensitive SSA data. Last August, then-SSA Chief Data Officer Chuck Borges filed a separate complaint with the U.S. Office of Special Counsel, accusing DOGE of wrongfully uploading SSA data — including highly sensitive information tied to millions of Americans’ Social Security numbers — to an unsecured cloud server. In his complaint, Borges argued DOGE’s actions put the entire dataset at severe risk of being hacked or publicly leaked.
In his complaint, Borges specifically named Solly as the DOGE team member who requested the agency move live NUMIDENT data (which holds millions of active Social Security numbers) into a cloud environment that lacked mandatory independent security controls. Three other DOGE members — Edward Coristine, Aram Moghaddassi, and Michael Russo — were also accused of participating in internal discussions about moving the NUMIDENT dataset. Before joining DOGE at age 19, Coristine worked for a startup that employed reformed convicted hackers. None of the three men responded to WIRED’s requests for comment ahead of this article’s publication.
Just days after filing his complaint, Borges resigned from his role at SSA, citing retaliatory actions from the agency that “make my duties impossible to perform legally and ethically.” There have been other high-profile controversies tied to DOGE’s work at SSA: on one occasion, the DOGE team erroneously moved the Social Security numbers of thousands of living immigrants into the Death Master File, a change that effectively stripped those individuals of their ability to legally live, work, and access services in the U.S.
According to two SSA sources familiar with Solly’s work, when he joined the agency last year, his initial assignment was consolidating the agency’s IT ticketing system. By June of last year, per Borges’ complaint, Solly had shifted to a new project centered on NUMIDENT data. The resume Solly posted publicly also confirms he worked on an SSA initiative called EDEN 2.0.
Leland Dudek, former acting SSA commissioner, explained that the original EDEN (Enterprise Data Exchange Network) was first developed to help financial institutions verify their customers’ identities. The system pulls data directly from NUMIDENT, meaning Solly would almost certainly need access to that sensitive database to work on EDEN 2.0. “Sharing data traditionally goes through a mainframe, which is really not a great way to share data,” Dudek told WIRED.
While the exact intended purpose of the EDEN 2.0 project remains unconfirmed, a source familiar with the work says it was designed as an API platform to deliver real-time Social Security number verification services to other federal government agencies.
Dudek added that the original version of EDEN was developed around the same time as another core SSA tool: the electronic Consent Based Social Security Number Verification (eCBSV). The eCBSV is a fraud detection tool that allows financial institutions to cross-check customer records against SSA data to confirm identity, for example when a new customer opens a bank account. To share that data safely with outside institutions, the SSA needed a system that didn’t require external parties to access its internal mainframe. While EDEN was not technically a component of the eCBSV system, it was critical to the initiative’s functionality.
“The underlying infrastructure that made that whole system work — because you’re making agreements with dozens of commercial entities and exposing that data through an API — that’s exactly what EDEN was designed to do,” Dudek said.
Dudek noted that while the original EDEN was not built to share data with other government agencies, it could easily be repurposed for that use. “A logical extension of sharing data with financial institutions could be adapted to share data between different federal agencies,” he said. He also added that the DOGE team at SSA never told him they were working on EDEN, and he never authorized the work. “They were more focused on rooting out instances of fraud within the NUMIDENT file itself,” he said.
Records indicate EDEN is already being used for cross-agency data sharing. On February 25, William Kirk, Inspector General of the Small Business Administration (SBA), testified before the Senate Committee on Small Business and Entrepreneurship about combating fraud, particularly fraud related to pandemic-era business relief loans. In his written testimony, Kirk confirmed that “SBA also has stated that it has expanded data-sharing agreements across federal databases,” including “the Social Security Administration’s Enterprise Data Exchange Network.”
