A whistleblower complaint filed by Daniel Berulis, a cybersecurity specialist at the National Labor Relations Board (NLRB), alleges that staff from the Department of Government Efficiency (DOGE), led by Elon Musk, gained sweeping 'tenant owner' access to the NLRB's internal systems in early March. The NLRB is an independent federal agency responsible for protecting workers' rights and adjudicating labor disputes.
According to the disclosure, DOGE engineers disabled monitoring tools, deleted logs, and requested that their activities not be logged, contrary to standard cybersecurity protocols. Technical staff observed a spike in outbound data traffic, with approximately 10 gigabytes of data—including information on union organizing, ongoing legal cases, and proprietary business information—removed from the agency's databases. Tools and techniques cited in the disclosure include a project named 'NxGenBdoorExtract,' DNS tunneling, the creation of a shared access signature (SAS token), five PowerShell downloads, and the use of requests-ip-rotator and browserless for automating and masking data exfiltration. Multifactor authentication was disabled and an interface was exposed to the public internet.
The complaint further details that, within minutes after DOGE accessed the NLRB's systems, there were multiple attempted logins from a Russian IP address using newly created DOGE accounts with correct credentials. These attempts were blocked by location-based security controls, but their timing and accuracy raised concerns about potential exposure to foreign adversaries. Data exfiltration was associated with a spike in DNS requests, and a user roster was exported. The whistleblower's attorney also alleged that Starlink was used for data exfiltration.
Berulis and colleagues attempted to launch a formal breach investigation and alert the Cybersecurity and Infrastructure Security Agency (CISA), but their efforts were disrupted by higher authorities. After his internal disclosures, Berulis received a threatening note at his home containing personal information and drone photographs, which is now under law enforcement investigation.
Following the public report, DOGE staff visited the NLRB headquarters to meet with agency leadership. NLRB acting general counsel William Cowen and other leaders have denied that DOGE was granted access to its systems or that any breach occurred, citing internal investigations. However, Berulis' claims are supported by internal documentation and have been reviewed by technical experts. The whistleblower's attorney, Andrew Bakaj of Whistleblower Aid, has submitted the disclosure to Congress and the U.S. Office of Special Counsel, citing concerns over violations of federal data security and privacy laws.
Labor law experts and cybersecurity professionals have raised concerns about the removal of sensitive data, including the potential for retaliation against workers and union organizers, conflicts of interest given Musk's ongoing legal disputes with the NLRB, and broader risks related to DOGE's access to sensitive data across federal agencies.
According to the whistleblower, cyber security specialist Daniel Berulis at the NLRB, a person using a Russian IP address had the correct login credentials just minutes after they were created by DOGE to access the government system in March.
https://t.co/5SZfl5g2zh
An employee with the NLRB sent a whistleblower disclosure to members of Congress on Monday alleging that Elon Musk's Department of Government Efficiency harvested Americans' sensitive information and likely exposed the data to foreign adversaries. https://t.co/1HFVn2mJPT https://t.co/Em2w7r94iX
