DOGE Duo Ducked Security Rules During Treasury Stint, GAO Finds

The Government Accountability Office released a report exposing how two Department of Justice (DoJ) associates, dispatched to the Treasury Department early in the second Trump administration, accessed the Bureau of the Fiscal Service’s (BFS) payment platforms without adhering to established cybersecurity protocols. Their temporary access, spanning January 20 to April 11, 2025, covered three critical systems that process tax refunds, benefits, salaries, and foreign aid disbursements.

The GAO audit revealed that one DoJ employee, linked to an Elon Musk‑created tech collective, could view, copy, print, and even temporarily create, modify, or delete data within these systems—though no actual data changes were detected. Additionally, the DoJ shared a list of USAID payment recipients without encrypting personally identifiable information, directly contravening Treasury’s IT security rules. The BFS itself fell short, failing to fully implement several mandated cybersecurity controls.

The report highlighted concrete lapses: unencrypted PII transmission, inadequate access controls, and a lack of comprehensive security safeguards on high‑value payment infrastructure. While the DoJ’s actions raised concerns, the GAO also placed responsibility on Treasury officials for not enforcing all required safeguards.

The findings underscore heightened vulnerability in federal payment networks, prompting calls for stricter oversight, accelerated remediation of security gaps, and potential legal repercussions. Treasury’s partial acceptance of six GAO recommendations—agreeing to three and ignoring three—signals ongoing challenges in aligning policy with practice.