A federal whistleblower “Daniel Berulis”, A senior DevSecOps architect has allegedly sent a affidavit document of a U.S DOGE significant data breach at the National Labor Relations Board (NLRB), claiming that personnel from the Department of Government Efficiency (DOGE) accessed sensitive data, potentially compromising critical systems.
The whistleblower’s claims were first highlighted in a detailed thread posted on X by cybersecurity expert Matt Johansen today described the disclosure as “one of the most disturbing cybersecurity disclosures I’ve ever read,” alleging that DOGE personnel accessed NLRB systems, extracted large volumes of data, and that login attempts from Russian IP addresses using valid DOGE credentials followed shortly after.
“Whistleblower’s saying DOGE came in, data went out, and Russians started attempting logins with new valid DOGE passwords,”.
.png
)
Unauthorised Access to Sensitive Systems
According to the whistleblower’s affidavit, submitted via email to key congressional figures including Senators Bill Cassidy and Bernie Sanders of the Senate Committee on Health, Education, Labor and Pensions, and Representatives James Comer and Gerald E. Connolly of the House Committee on Oversight and Government Reform DOGE that staff were granted unprecedented “tenant owner” level access to NLRB’s Azure cloud systems.
“They were to be given what are referred to as “tenant owner” level accounts, with essentially unrestricted permission to read, copy, and alter data.” whistleblower stated in the Document.
Whistleblower also says that they received a call during which an ACIO stated instructions were given that standard operating procedures (SOP) were not to be followed regarding the doge account creation and the creation of records.
The ACIO specifically stated that there were to be no logs or records made of the accounts created for DOGE employees. DOGE officials were to be granted the highest level of access and unrestricted access to internal systems.
This level of access, which surpasses even that of the agency’s Chief Information Officer, allowed unrestricted permissions to read, copy, and alter data.
Security Protocols Allegedly Disabled
The whistleblower, identified as Daniel Berulis, a senior DevSecOps architect at the NLRB, alleged that DOGE personnel disabled critical security protocols, including logging mechanisms and network monitoring tools like Azure’s network watcher.
Berulis reported a significant spike of over 10 gigabytes of outbound traffic from the NLRB’s NxGen case management system, which houses sensitive information such as union organizing activities, employee whistleblower identities, and proprietary business data.
The affidavit noted that this data transfer occurred without corresponding inbound traffic, raising suspicions of exfiltration.
Instant Russian Login Attempts
Most concerning, Berulis claimed that within 15 minutes of DOGE accounts being created, attackers from Russia attempted to log into NLRB systems using the correct usernames and passwords of these newly created accounts.
“There were more than 20 such login attempts. Particularly concerning, the whistleblower notes, is that many of these occurred within 15 minutes of the accounts being created by DOGE engineers.”
Whistleblower also noticed increased logins being blocked by access policy due to those logins originating from outside the country.
For example: In the days after DOGE accessed NLRB’s systems, a user with an IP address in Primorskiy Krai, Russia, began attempting to log in. These attempts were blocked, but they were especially alarming.
Although the login attempts were blocked due to location-based access policies, the incident suggests either a compromised DOGE device or deliberate sharing of credentials. Additionally, multi-factor authentication (MFA) was reportedly disabled for mobile devices, further weakening system security.
On or about March 13, 2025, a connection record in Network Watcher showed data being sent to an unknown external endpoint. The whistleblower says the network team attempted to pull connection logs, but they were unable to do so.
On March 7, 2025, the whistleblower confirmed with the lead developer of the Missions Systems and Admin Systems teams that they did not use “containers” at all, even in development work.
The whistleblower asked various privileged users whether they had made untracked changes to resources in an effort to account for billing anomalies.
Meanwhile, Azure Billing rates grew 8% month over month, but there were no new resources included in the report.
This was unusual, as an increase in spend generally corresponds to an increase in resources. A spike in cost without new resources typically suggests that either a high-cost resource was created, used, and quickly removed, or existing resources were changed to higher-cost usage without approval.
Intimidation Tactics Against Whistleblower
While preparing this disclosure, Berulis found a drone surveillance photo of himself taped to his front door with a threatening note.
The whistleblower’s disclosure also detailed attempts to intimidate Berulis as he prepared to share his findings. On April 7, 2025, he reportedly found a threatening note accompanied by drone surveillance photos of himself taped to his front door.
This incident has heightened concerns about the safety of whistleblowers raising issues related to DOGE’s activities.
The allegations have prompted swift reactions from congressional leaders. The whistleblower report was addressed to prominent members of Congress, signaling the issue’s sensitivity and potential implications for national security.
While the NLRB has denied that a breach occurred, citing an internal investigation, the whistleblower’s claims remain uncorroborated but are fueling demands for federal probes into DOGE’s actions across multiple agencies.
Public reaction on X has been intense, with users expressing alarm over the possibility of foreign adversaries leveraging DOGE’s access to sensitive federal systems.
Posts linked to the trending topic “Cybersecurity at the NLRB” have speculated about DOGE’s intentions, with some suggesting deliberate malfeasance or conflicts of interest, given DOGE leader Elon Musk’s involvement with companies like SpaceX and Tesla, which face ongoing NLRB investigations.
ing the week of March 24, 2025, the ACIO of Security, Chris L., determined that suspicious activity warranted escalation and recommended reporting it to US-CERT, a CISA team responsible for rapid response to cyber incidents.
The whistleblower states that the breach indicators met the threshold to trigger standard procedures concerning data theft, prompting a formal review. All evidence was submitted regarding what was believed to be a serious and potentially illegal removal of personally identifiable information from the Nxgen system and through external transfers.
The whistleblower explains that even if each digital event appeared unrelated, the statistical improbability of coincidence justified involving US-CERT.
The team could help determine the root causes and verify whether the breach involved broader security compromises. The ACIO’s decision to engage US-CERT or potentially the FBI was based on the weight of evidence and the need for resources beyond what the internal team could provide.
However, between April 3–4, 2025, the whistleblower and the ACIO were instructed to halt the US-CERT report and investigation. They were explicitly directed not to move forward or create any official report, effectively shutting down the formal inquiry into the suspicious activity.
Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!