A federal whistleblower has come forward with allegations of a significant cybersecurity breach at the National Labor Relations Board (NLRB), implicating personnel from the Department of Government Efficiency (DOGE) in unauthorized access and potential data exfiltration.
The whistleblower, identified as Daniel Berulis, a senior DevSecOps architect at the NLRB, detailed these claims in an affidavit submitted to key congressional figures, including Senators Bill Cassidy and Bernie Sanders, as well as Representatives James Comer and Gerald E. Connolly. Berulis asserts that DOGE staff were granted tenant owner level access to the NLRB’s Azure cloud systems, providing them with unrestricted permissions to read, copy, and alter data. This level of access reportedly exceeded that of the agency’s Chief Information Officer, a situation Berulis describes as unprecedented and highly irregular.
According to the affidavit, standard operating procedures were deliberately bypassed during the account creation process for DOGE personnel. Berulis alleges that instructions were given to avoid creating logs or records of these accounts, effectively obscuring the activities of DOGE staff within the NLRB’s systems. This lack of transparency raises significant concerns about accountability and oversight.
Further compounding these concerns, Berulis reports that critical security protocols, including logging mechanisms and network monitoring tools like Azure’s Network Watcher, were disabled following DOGE’s access. This action effectively blinded the NLRB’s security infrastructure, preventing the detection of unauthorized activities.
Berulis also observed a significant spike of over 10 gigabytes of outbound traffic from the NLRB’s NxGen case management system, which contains sensitive information such as union organizing activities, employee whistleblower identities, and proprietary business data. This data transfer occurred without corresponding inbound traffic, suggesting potential data exfiltration.
Adding to the gravity of the situation, Berulis noted attempted logins from Russian IP addresses using valid DOGE credentials shortly after the initial access. While these attempts were blocked due to location-based security policies, they indicate a possible compromise of DOGE credentials and raise concerns about foreign entities exploiting the situation.
Efforts by Berulis and his colleagues to formally investigate and alert the Cybersecurity and Infrastructure Security Agency (CISA) were reportedly obstructed by higher-ups without explanation. This obstruction, coupled with the disabling of security protocols, suggests a systemic failure in addressing the breach.
The NLRB has denied the occurrence of a breach, and neither DOGE nor CISA have provided comments on the matter. The FBI declined to comment, and the specifics of DOGE’s duties at the NLRB remain unclear.
This incident underscores the critical importance of adhering to established cybersecurity protocols and maintaining transparency when granting access to sensitive systems. The allegations, if substantiated, highlight significant vulnerabilities within federal agencies and the potential for unauthorized access to compromise sensitive information.
