Treasury Agreed to Fix Half the Breach

Introduction

The government's own auditor published a report in April saying a DOGE associate accessed federal payment systems, the ones that process your Social Security check, your tax refund, your veterans benefit, your federal salary, without completing required security training, without signing a single security agreement, and with data protection tools that failed to catch him sending unencrypted payment records to another agency. Treasury reviewed the findings, then agreed to fix only three of the six problems. As of today, the payment systems still run the same way.

That report is GAO-26-108131, released April 28, 2026, by the Government Accountability Office, the nonpartisan investigators who answer to Congress. It is not a whistleblower allegation or a leaked memo. It is a finished audit with named controls, a count of how many failed, and six specific recommendations Treasury was asked to commit to.

What GAO actually counted

The Bureau of the Fiscal Service, the part of Treasury that cuts almost every federal payment, gave a DOGE associate access to three of its payment systems between January and February 2025. GAO picked 14 cybersecurity controls across four areas and checked which ones the bureau had in place while that access was live. The finding, verbatim from the report: "BFS implemented five of the 14 selected controls within those four areas."

It helps to know what those three systems do, because the abstraction hides the stakes. According to court filings reviewed by Kim Zetter, they are PAM, SPS, and ASAP. PAM is the landing zone where federal agencies drop the payment files that turn into actual money leaving the Treasury. SPS is where agencies create, certify, and submit those payment orders. ASAP lets recipients draw down funds from accounts already approved. This is the machinery behind the disbursements. In fiscal year 2025, the bureau's Federal Disbursement Services pushed out more than 1.32 billion payments totaling more than $6.01 trillion, 97 percent of them electronic, for more than 250 federal agencies. Social Security, Supplemental Security Income, veterans pay, federal salaries, your income tax refund, all of it runs through here.

The detail that stops you is this one, again straight from GAO: "the employee was inadvertently granted temporary access to create, modify, and delete data for one of the three systems, but GAO found no evidence of any changes to system data." Read access to the system that moves trillions would be alarming enough. This was write access, the ability to create and delete payment records, handed over by accident. Nothing got changed, the report says so. But the only thing standing between that access and an altered payment record was luck, not a control the bureau had set up, and that's the gap the whole report keeps circling back to.

Worth being precise about who this report does and doesn't name. GAO does not name the DOGE associate. Court filings and reporting from Nextgov/FCW, Politico, and others match the anonymized details, like the February 6, 2025 resignation date, to Marko Elez. That identification comes from the court record and the press, not from the audit. GAO's report also references a second, unnamed DOGE staffer whose email helped route data, so this was not one person acting alone.

The tools that were supposed to catch it

Getting him in was one failure. What the monitoring tools didn't catch once he was in is a separate one, and the worse of the two.

GAO found, in its own words, that "an employee did not encrypt payment information sent to another agency DOGE team or obtain approval to share this information prior to sending it." Per FedScoop, the file held the personal information of about 350 individuals listed for USAID payments, sent as an Excel spreadsheet, routed through a Treasury email to another DOGE staffer and on to two DOGE members at the General Services Administration. The 350 figure comes from reporting on the findings rather than the audit's published highlights, so treat the headcount as secondary, but the unencrypted transfer without approval is in the GAO report directly.

What makes this more than a careless email is when Treasury noticed. Per Nextgov, the bureau didn't catch the transfer in real time. It found out during a forensic review of the laptop after the employee had already left, because its data loss prevention tools weren't configured to watch for information being sent to other government agencies. The system built to flag exactly this kind of leak was looking the wrong direction, so the file was already gone before anyone went back and found it.

Treasury did put real restrictions on the access, and the report says so. Court filings describe a bureau-specific encrypted laptop, blocked USB ports, blocked cloud storage, blocked web access. GAO's own ratings reflect that: System Integrity came back "Fully Implemented," and both Information Confidentiality and Monitor System Usage came back "Substantially Implemented." The failure was concentrated in one area, System Access, which GAO rated "Partially Implemented." The bureau locked most of the doors and left the most important one cracked.

What Treasury agreed to, and what it didn't

The breach is the easy part to understand. What Treasury did after reading the report is the part worth slowing down on.

GAO made six recommendations. The report states it plainly: "BFS agreed with three of the recommendations and did not state whether it agreed or disagreed with the other three. As discussed in the report, GAO maintains the recommendations are appropriate and warranted." Treasury didn't reject the other three. It declined to take a position on them. An agency that disagrees gets to argue its case, but an agency that stays silent has read the recommendation, understood it, and chosen not to commit anyway.

The three Treasury agreed to, per Federal News Network, were defining minimum screening requirements for access, strengthening training before access is granted, and updating the process for reviewing emails that contain unencrypted payment information. Useful, all of them. The three it left hanging are the sharper ones: verifying that a user's access actually matches what was approved, conducting exit interviews and getting post-employment paperwork from people who leave with access to payment systems, and fixing the data loss prevention configuration that missed the unencrypted transfer in the first place. One of the recommendations Treasury wouldn't commit to is the one aimed directly at the gap that let the USAID file walk out the door undetected.

John Davisson of the Electronic Privacy Information Center put the sequence bluntly to FNN: "Despite Treasury's conclusion that one DOGE employee would be in a position to cause 'inestimable damage' to security interests, the agency couldn't be bothered to get a signed access agreement from the employee or comply with other baseline safeguards." The phrase "inestimable damage" is Treasury's own, from its internal assessment as relayed by GAO, and the safeguards it put in place after writing those words came to five of fourteen.

Who benefits from skipping the controls

The reason to skip a security control is almost always the same: it costs time. Following that logic tells you who came out ahead here.

DOGE's documented operating goal in this window was speed. The team described pushing for high-level system access across agencies as "operating procedure" in court testimony. According to the court affidavit reviewed by Zetter, Elez copied two USAID files from the PAM database to his laptop on February 3, 2025, consistent with DOGE's stated aim of halting foreign aid disbursements. Every control the bureau skipped, from the signed rules-of-behavior agreement to the properly configured monitoring, is a control that would have added days. Access that should have taken weeks through normal channels was compressed into a window short enough that resistance never formed.

It didn't form because the person who would have raised it was gone. David Lebryk, the most senior career official at Treasury, with more than 30 years of service under six presidents, was placed on administrative leave on January 31, 2025, after refusing to grant DOGE the access it wanted. He resigned the same day. The next morning, the DOGE associate got into PAM and SPS. So Treasury's political leadership got clean compliance with what the White House wanted, the one career official who would have said no was already out of the building, and the price of moving that fast was the set of controls that never got implemented.

There's a corporate name circling this story, and it's worth saying exactly how far the evidence goes before anyone reaches for an accusation. Tom Krause, the CEO of Cloud Software Group, a Broadcom division, was the DOGE lead at Treasury in an unpaid government role. He had observation access only, so he could watch the systems being accessed but not touch them himself. No contract between Cloud Software Group and the bureau during this period turns up in the record, and without one there's no documented financial conflict to point to. So it's useful to know he was in the room, but on this evidence there's no payday attached to him.

What's still broken, and the report nobody can finish

The newest twist has nothing to do with 2025. It's whether anyone gets to find out what else happened.

On May 18, 2026, the Washington Post reported that as GAO conducts a broader investigation into how DOGE members handled sensitive data across the government, multiple agencies are refusing to hand over records. The completed Treasury audit was, in GAO's own framing, "preliminary results" of ongoing work, with more reports promised. Whether those reports can say anything complete now depends on documents agencies are declining to produce.

Even this finished report has a narrow frame. GAO scoped its Treasury review to the window of January 20 through April 11, 2025. In a parallel review at the National Labor Relations Board, the lawyer for a whistleblower said GAO scoped out the exact timeframe the whistleblower flagged as containing the most serious conduct. Rep. Richard Neal, whose committee requested the Treasury audit, made the same point about this report, that it "only examined a limited period last year." A finished audit carries real weight, but it still only covers the slice it was scoped to, and the people who could widen that slice are being told no.

The same week GAO published its findings, the House advanced a bill to combine more federal databases, not to fix the breach but to expand the system. H.R. 8463, the Pre-Payment Fraud Prevention and Treasury Data Access Act, would direct Treasury to pool more agency payment and payee data to fight fraud, which GAO estimates costs between $233 billion and $521 billion a year. The markup had been calendared on April 24, four days before the GAO report, and the bill cleared committee 35-1, so this was scheduled before the audit landed, not a reaction to it. Neal drew the connection himself, arguing that pooling more data into one system while the documented failures sit unfixed is the wrong order of operations. That framing is his, and the timing is just the calendar. But the question it raises is fair: the bureau that left write access open by accident is the one being asked to hold more of your data in one place.

Six recommendations, three signatures, zero closed

GAO did the part everyone says they want. It named the systems, counted the controls, found the unencrypted transfer, and wrote down six things to fix. Treasury read all six and committed to three. More than a month later, the recommendation tracker on GAO's own page still shows every one of the six open, with no confirmed corrective action plan, and the data loss prevention gap that missed the USAID file is among the three Treasury never signed onto.

So the receipt is in writing and the fix stopped halfway by choice. The open question is what it takes to move the other half, when the harm reaches almost every adult who gets a federal payment and the agencies that could show what else happened are the ones refusing to open the files.