The Thumb Drive That Could Hold 300 Million Secrets

"If It's Illegal, I'll Just Get a Presidential Pardon"

That sentence—allegedly spoken aloud to coworkers—is at the center of one of the most unsettling government data stories in recent memory. According to a whistleblower complaint filed with the Social Security Administration's Office of the Inspector General, a former DOGE engineer named John Solly told colleagues he had copied two of the SSA's most sensitive databases onto a thumb drive and intended to share the data with his new private-sector employer.

The databases in question aren't peripheral files. NUMIDENT is the SSA's master database containing every piece of information submitted in a Social Security number application—full names, dates of birth, race, and more, covering hundreds of millions of Americans. The Death Master File tracks deceased individuals' Social Security records specifically to prevent identity fraud. The whistleblower further alleged that Solly sought help transferring data from the thumb drive to a personal computer to "sanitize" it before uploading it for use at a private company.

That private company is Leidos, a major defense and IT contractor—and one of SSA's largest vendors, holding a $1.5 billion five-year IT contract signed in 2023. Solly has served as CTO of Leidos's health IT division since at least October. His personal website and LinkedIn profile were taken offline this week.

Everyone Denies It. Here's Why That's Not Enough.

Solly's attorney Seth Waxman issued a categorical denial: "He did not share, access, or view any personally identifiable information maintained by SSA, including SSA's Death Master File and Numident. The allegations made by a supposedly anonymous source are patently false and slanderous."

Leidos went further. The company says it conducted an internal investigation using "advanced digital forensics" and found no SSA data on its networks, and no evidence that Solly ever plugged a thumb drive into his company-issued laptop. An SSA spokesperson echoed the denials, calling the allegations unverifiable.

On the surface, that looks like a clean sweep of rebuttals. But context matters.

This is not the first time Solly's name has appeared in a formal complaint about SSA data. Last August, SSA's then-Chief Data Officer Chuck Borges filed a separate complaint with the US Office of Special Counsel alleging that DOGE had uploaded sensitive Social Security data—including live NUMIDENT records—to an unsecured cloud server without independent security controls. Borges named Solly as the DOGE member who requested the NUMIDENT transfer. Days after filing, Borges resigned, saying agency actions had made his duties "impossible to perform legally and ethically."

Two complaints. Two different watchdog bodies. The same name.

Sponsored

Advertise with Us

[email protected]

Sponsored

The Conflict of Interest Nobody Approved

The structural problem here goes beyond any single allegation. Consider the geometry: Solly worked as a DOGE engineer inside SSA, with access to NUMIDENT data and responsibility for a project called EDEN 2.0. EDEN—the Enterprise Data Exchange Network—is an API system originally designed to let financial institutions verify customer identities against Social Security records. According to former acting SSA Commissioner Leland Dudek, EDEN could be "logically extended" to share data between government agencies. He also told WIRED that DOGE never informed him they were working on EDEN, and he never instructed them to.

Simultaneously, Solly held the CTO role at Leidos—a company with $1.5 billion in pending SSA contracts and a direct financial interest in how SSA's IT infrastructure evolves.

Leidos says there is "no overlap" between Solly's current work at the company and his SSA work. But that claim is made by Leidos itself, about its own employee, in the context of its own ongoing government contracts. The independence of that assessment is, at minimum, worth scrutinizing.

And EDEN appears to already be in use. On February 25, William Kirk, Inspector General of the Small Business Administration, testified before a Senate committee that SBA has expanded data-sharing agreements across federal databases—explicitly including SSA's Enterprise Data Exchange Network. The infrastructure DOGE was reportedly building is operational.

Three Ways to Read This Story

If you're a privacy advocate, the alarming detail isn't the thumb drive—it's the API. Whether or not Solly physically copied data, EDEN 2.0 represents a systematic expansion of who can access Social Security records and under what conditions. Once data flows through an API rather than a mainframe, the attack surface multiplies. The question isn't just "did someone take data?" but "who designed the pipes, and who benefits from them?"

If you're a government efficiency proponent, the counterargument is straightforward: SSA's legacy systems are decades old, fraud is rampant, and modernization requires people with private-sector expertise. Those people will have prior employers and future employers. Conflict-of-interest rules exist precisely to manage this—the question is whether they were followed, not whether the modernization itself was wrong.

If you're a cybersecurity professional, the most disturbing element may be the alleged suggestion of a presidential pardon as a fallback. That framing—if accurate—suggests the person involved understood the actions might be unlawful but proceeded anyway, betting on political protection rather than legal compliance. That's a different category of risk than accidental mishandling.

What the Whistleblower System Reveals About Itself

Borges filed his complaint in August. He resigned days later. The new complaint was filed earlier this year. Solly's online presence disappeared this week. The SSA's OIG is investigating.

In the meantime, Leidos retains its contracts. EDEN is being used by other agencies. And the whistleblowers—plural—are the ones who left their jobs.

The US whistleblower protection system is supposed to shield people who report wrongdoing from retaliation. But "protection" and "vindication" are different things. A protected whistleblower can still lose their job, their reputation, and their ability to be heard if the institutions they report to are also the institutions under scrutiny.