These issues are as important as people want to make them out to be. But given the discussion of security clearance involved, maybe it is a legal matter? Maybe someone can work out which bits of the Treasury privacy policy https://home.treasury.gov/system/files/236/Department-of-the... are legally binding and which are just guidelines.
If there is a procedure in place, you follow the procedure. You can argue how the procedure is ass backwards, but you don't just ignore the procedure because it's giving you bad vibes.
Especially with PII. Every junior I've mentored, every team member I've been responsible for, every one has gotten (thankfully, mainly preemptive) stern talking to regarding handling PII. Much better to be laughably paranoid for hundred times, than leaking some of the truly radioactive data once.
How does one email a database? With rare exceptions most mail servers have attachment limits of 16MB to 32MB. Just the schema alone could use up a chunk of the attachment limits. Is the title just oddly worded perhaps? Maybe they meant specific query results?
[Edit] Based on replies specific query results of two people names and dollar amounts into a spreadsheet. Poorly worded title on El Reg's part. Still a security privacy and compliance incident.
12. The forensic analysis also revealed that Elez sent an email with a
spreadsheet containing PII to two United States General Services Administration
officials. The PII detailed a name, a transaction type, and an amount of money.
"Treasury said Ryan Wunderly will replace Marko Elez on the agency’s DOGE team. Elez examined the federal payments system housed at the Bureau of the Fiscal Service before he resigned from Treasury earlier this month after The Wall Street Journal surfaced racist social media posts."
The actual filing (which is linked from the article) is more specific in its claims:
>The forensic analysis also revealed that Elez sent an email with a spreadsheet containing PII
>to two United States General Services Administration officials.
"database" in legal/business speak (AFAIK) is the more general "organized collection of data" - not the more software engineer focused relational/object/graph- implementations of such.
He’s already resigned because he was linked to racist and abhorrent social commentary; the export was considered low-risk; and based on what happened between coequal branches of government this week, the Administration feels they’re accountable to no one.
He was reinstated quickly at the order of the vice president. It's been strange getting older and seeing aspects of politics I thought were fairly fundamental quickly change. I remember not too long ago when accusations of racism were considered slanderous attacks by liberals on conservatives, and now they are apparently reveling in racism because it bothers liberals. It's no way to run a government if you ask me, but no one seems interested in my (seemingly) outdated opinions.
> accusations of racism were considered slanderous attacks by liberals on conservatives, and now they are apparently reveling in racism because it bothers liberals
They're quite capable of doing both of these at the same time.
Unless he's resigned again in recent weeks and I've missed it, Elez was brought back within days of his resignation after a short campaign to manufacture consent by JD Vance and Musk.
It might surprise the good readers of Hacker News, but by reading TFA, and the linked PDF therein, answers may be revealed!
> 12. The forensic analysis also revealed that Elez sent an email with a spreadsheet containing PII to two United States General Services Administration officials. The PII detailed a name (aperson or an entity), a transaction type, and an amount of money. The names in the spreadsheet are considered low risk PII because the names are not accompanied by more specific identifiers, such as social security numbers or birth dates. Elez’s distribution of this spreadsheet was contrary to BFS policies, in that it was not sent encrypted, and he did not obtain prior approval of the transmission via a “Form 7005,” describing what will be sent and what safeguards the sender will implement to protect the information.
This is exactly what the court filing says - he emailed excel spreadsheets with unencrypted data. Presumably from database queries hence why they mention emailing a database. Obviously written by people who are entirely unfamiliar with what a database even is so it makes it sound worse than it is (even though it is still bad, but not quite "send the entire database" bad.)
Given a desired message size of max_bytes megabytes (in reality the messages will be smaller due to the use of gzip), a database dump command which dumps the database to stdout, a correctly configured mail environment and a destination address of dogehouse@doge.gov:
$ RCPT="dogehouse@doge.gov" database_dump_command | split -b max_bytes M --filter="gzip -| base64 | mail -s \$FILE \$RCPT"
Next time they might want to replace | base64 | with | gpg -r dogehouse@doge.gov -e -a |' which would turn the unencrypted export into an encrypted version:
$ RCPT="dogehouse@doge.gov" database_dump_command | split -b max_bytes M --filter="gzip -| gpg -r \$RCPT -e -a | mail -s \$FILE \$RCPT"
I thought they were emailing around social security numbers till I got to the end of the article.
Foreign governments are probably having once in a century field day with the data they are harvesting.
This damage won't be fixed within the lifetime of anyone alive today.
We won't even see WW3 coming, just tiny footsteps and then BOOM some morning.
what hyperbole. it’s just names and a dollar amount.
My credit report is just names and dollar amounts too. I don’t want the whole world having access to it.
heh. That's cute.
You may not "want" that. However, given the lack of consumer privacy laws in the US, anybody willing to pay can buy it from a data broker[1].
[1] https://www.experian.com/small-business/target-prospects
hyperbole would be the wrong word. It think misinformation would be the correct word since the allegations were false rather than exaggerated.
Why would there even need to be a war, when you can just buy the country?
[flagged]
"But her emails!"
These issues are as important as people want to make them out to be. But given the discussion of security clearance involved, maybe it is a legal matter? Maybe someone can work out which bits of the Treasury privacy policy https://home.treasury.gov/system/files/236/Department-of-the... are legally binding and which are just guidelines.
[dead]
[flagged]
If there is a procedure in place, you follow the procedure. You can argue how the procedure is ass backwards, but you don't just ignore the procedure because it's giving you bad vibes.
Especially with PII. Every junior I've mentored, every team member I've been responsible for, every one has gotten (thankfully, mainly preemptive) stern talking to regarding handling PII. Much better to be laughably paranoid for hundred times, than leaking some of the truly radioactive data once.
> The people who make “Form 7005” are the ones we hate, remember?
Er, I mean, yes, when handling sensitive data, papertrails are good, actually.
[flagged]
You might disagree, but if you bother to post here you should aim to make an argument. I don’t think a gay slur advances anything.
How does one email a database? With rare exceptions most mail servers have attachment limits of 16MB to 32MB. Just the schema alone could use up a chunk of the attachment limits. Is the title just oddly worded perhaps? Maybe they meant specific query results?
[Edit] Based on replies specific query results of two people names and dollar amounts into a spreadsheet. Poorly worded title on El Reg's part. Still a security privacy and compliance incident.
From case witness testimony https://storage.courtlistener.com/recap/gov.uscourts.nysd.63...
Everyone in this thread should read this filing; it's only a couple of pages.
Previous background on Ryan Wunderly and Marko Elez: https://www.politico.com/news/2025/02/20/treasury-irs-data-w...
"Treasury said Ryan Wunderly will replace Marko Elez on the agency’s DOGE team. Elez examined the federal payments system housed at the Bureau of the Fiscal Service before he resigned from Treasury earlier this month after The Wall Street Journal surfaced racist social media posts."
Isn't the cat already out of the box? If the White House and its dictator are agreeing to it it could mean they don't need full access anymore.
OK that makes a lot more sense. Thankyou.
The actual filing (which is linked from the article) is more specific in its claims:
>The forensic analysis also revealed that Elez sent an email with a spreadsheet containing PII >to two United States General Services Administration officials.
https://storage.courtlistener.com/recap/gov.uscourts.nysd.63...
The word "database" never appears in the filing, that's The Register's word choice.
"database" in legal/business speak (AFAIK) is the more general "organized collection of data" - not the more software engineer focused relational/object/graph- implementations of such.
Export into CSV, attach, done. 10MB can contain a million people's PII.
He’s already resigned because he was linked to racist and abhorrent social commentary; the export was considered low-risk; and based on what happened between coequal branches of government this week, the Administration feels they’re accountable to no one.
So; not a paddlin’.
He was reinstated quickly at the order of the vice president. It's been strange getting older and seeing aspects of politics I thought were fairly fundamental quickly change. I remember not too long ago when accusations of racism were considered slanderous attacks by liberals on conservatives, and now they are apparently reveling in racism because it bothers liberals. It's no way to run a government if you ask me, but no one seems interested in my (seemingly) outdated opinions.
> accusations of racism were considered slanderous attacks by liberals on conservatives, and now they are apparently reveling in racism because it bothers liberals
They're quite capable of doing both of these at the same time.
Unless he's resigned again in recent weeks and I've missed it, Elez was brought back within days of his resignation after a short campaign to manufacture consent by JD Vance and Musk.
I bet it was an Excel file and he failed to password-zip it )
It might surprise the good readers of Hacker News, but by reading TFA, and the linked PDF therein, answers may be revealed!
> 12. The forensic analysis also revealed that Elez sent an email with a spreadsheet containing PII to two United States General Services Administration officials. The PII detailed a name (aperson or an entity), a transaction type, and an amount of money. The names in the spreadsheet are considered low risk PII because the names are not accompanied by more specific identifiers, such as social security numbers or birth dates. Elez’s distribution of this spreadsheet was contrary to BFS policies, in that it was not sent encrypted, and he did not obtain prior approval of the transmission via a “Form 7005,” describing what will be sent and what safeguards the sender will implement to protect the information.
This is exactly what the court filing says - he emailed excel spreadsheets with unencrypted data. Presumably from database queries hence why they mention emailing a database. Obviously written by people who are entirely unfamiliar with what a database even is so it makes it sound worse than it is (even though it is still bad, but not quite "send the entire database" bad.)
Clearly a computer genius, he is using Excel....
Yep
The manual way of copying a DB or part of it is export to CSV in my experience.
You can store A LOT in that format in 16MB.
Given a desired message size of max_bytes megabytes (in reality the messages will be smaller due to the use of gzip), a database dump command which dumps the database to stdout, a correctly configured mail environment and a destination address of dogehouse@doge.gov:
Next time they might want to replace | base64 | with | gpg -r dogehouse@doge.gov -e -a |' which would turn the unencrypted export into an encrypted version: