Social Security Chief: Whistleblower Wrong, No Data Exposure

SSA chief Frank Bisignano sent a letter to the Senate Committee on Finance Tuesday, denying the whistleblower's claims that data in the Numident, or Numerical Identification System, “has been accessed, leaked, hacked, or shared in any unauthorized fashion.”

Bisignano’s denial responded to the whistleblower, SSA Chief Data Officer (CDO) Chuck Borges, who submitted a protected letter Aug. 26.

Following Borges’ letter, Finance Committee Chairman Sen. Michael Crapo, R-Idaho, wrote to Bisignano on Sept. 10 with questions about the storage of personally identifiable information (PII), SSA risk mitigation and other questions relating to the possible data breach.

Bisignano responded that the location in the whistleblower's letter is "a secured server in the agency’s cloud infrastructure ... and is continuously monitored and overseen," which is SSA’s "standard practice.”

Bisignano added that “every information system goes through a privacy impact and risk assessment” and that there is “a security operations center which monitors 24/7 for any threats or vulnerabilities impacting its networks.”

Bisignano said that PII has been stored in a secure Amazon Web Service cloud environment since 2015/2016, and that all employees undergo a vetting process before they are given access to SSA information systems.

Though Borges “did not communicate with his peers in the security, data, and infrastructure groups who have oversight over these issues” prior to his whistleblower complaint, “SSA took [his] concerns seriously and conducted a review,” Bisignano said.