DOGE GAINED UNAUTHORIZED ACCESS TO THE NLRB, STOLE POTENTIALLY SENSITIVE DATE. THEN RUSSIA TRIED, TOO.

Daniel Berulis found an envelope taped to his workplace door, that contained threats and sensitive information, and a drone photo of him walking his dog.

It was clear that he had kicked the hornet’s nest, and now it was time to blow the whistle.

Berulis had only been at the NLRB for six months, and immediately began restructuring the internal system with higher levels of security and implementing a “zero trust" policy, which means that users can get access only to the parts of the system they need in order to do their jobs — no more, no less. That way, if an attacker gets hold of a single username and password, the attacker can't access the whole system.

When Elon Musk’s unofficial government agency, DOGE, showed up to access the NLRB’s internal system in March, it was with assurances that it was part of their agency’s ongoing mission “to review agency data for compliance with the new administration's policies and to cut costs and maximize efficiency.”

However, it became clear very quickly that what was was occurring had nothing to do with making the government more efficient or cutting spending.

Berulis could see that DOGE had gained access confidential data in the internal system, and in doing so the DOGE team took steps deemed unethical in the IT world to cover their tracks, by telling the system not to log their steps, and turning off monitoring tools and manually deleting records of their access — evasive behavior that several cybersecurity experts interviewed by NPR compared to what criminal or state-sponsored hackers might do. 

Most frightening, Berulis could see that massive amounts of data was LEAVING the system, something DOGE was also not authorized to be doing. Indeed, data was almost never extracted from the system, even by lawyers working on labor cases.The DOGE team had taken steps to hide what they were extracting, and Berulis and his colleagues could only see that lots of data was being taken.

15 minutes after the DOGE team began their “audit”, Berulis could see someone trying to log in to the system using DOGE’s newly-created usernames and passwords from an IP address in Russia. The only reason it was unsuccessful was because of a system default that denied access to foreign devices. It remains unclear how those usernames and passwords were accessed. 

This so disturbed the IT department that it launched a formal review of what it deemed a serious, ongoing security breach or potentially illegal removal of personally identifiable information.  

Berulis decided that it such a serious threat that he wants an independent review by the FBI or CISA.

So what exactly could DOGE have accessed? Stored within the NLRB’s files are sensitive details about union leadership, damaging testimony, legal strategies and internal data which could be weaponized by a corporation with a case before the NLRB.  Currently Elon Musk has multiple cases involving labor disputes in courts, and is facing potential union organizing at his factories.

After DOGE left, the NLRB conducted an internal investigation after Berulis raised his concerns but "determined that no breach of agency systems occurred." He was working on an official request to CISA when he found that envelope taped to his door.So he decided it was time to file a whistleblower complaint with Congress.Disclosing his concerns "was a moral imperative at this point," he said. "I've never encountered this in my 20 years of IT." 

Data experts outside the NLRB agree with Berulis’s concerns.Russ Handorf, who served in FBI cybersecurity, reviewed Berulis' extensive technical forensic records and analysis submitted with his congressional whistleblower filing.

"All of this is alarming," he said. "If this was a publicly traded company, I would have to report this [breach] to the Securities and Exchange Commission. The timeline of events demonstrates a lack of respect for the institution and for the sensitivity of the data that was exfiltrated. There is no reason to increase the security risk profile by disabling security controls and exposing them, less guarded, to the internet. They didn't exercise the more prudent standard practice of copying the data to encrypted and local media for escort."

"Until there's an investigation done, there's no way to definitively prove who did it," Handorf concluded.

"I believe with all my heart that this goes far beyond just case data," Berulis said. "I know there are [people] at other agencies who have seen similar behavior. I firmly believe that this is happening maybe even to a greater extent at other agencies. It was my goal by disclosing to Congress not to focus on me at all, but to give them information that they might not necessarily have, the things that you don't necessarily look for unless you know where to look.

Berulis had a simple request for the DOGE engineers: "Be transparent. If you have nothing to hide, don't delete logs, don't be covert. ... Be open, because that's what efficiency is really about. If this is all a huge misunderstanding, then just prove it. Put it out there. That's all I'm asking."

The after NPR published the whistleblower interview, Trump installed two DOGE employees as operatives inside the NLRB, both who are connected to the efforts to dismantle small agencies.