On January 24, 2025, Treasury Department chief of staff Dan Katz sent an email to a small group of senior officials. The message did not mention fraud detection. It said DOGE operatives needed access to the Bureau of Fiscal Service so they could freeze payments to USAID. That email became one of the most consequential documents in a federal access dispute that has run through three courts, produced a confirmed data breach, and as of April 2026, remains unresolved at the Second Circuit.
David Lebryk had been the Fiscal Assistant Secretary at the Treasury Department for years, the most senior career official directly responsible for Bureau of Fiscal Service operations. Days after Treasury Secretary Scott Bessent was confirmed by the Senate on January 27, 2025, Lebryk was placed on administrative leave. He retired shortly after, ending a 35-year government career.
He had refused to give DOGE operatives access to BFS systems. Bessent overruled him, and the access was granted.
Table of Contents
What Is the Bureau of Fiscal Service?
The Bureau of Fiscal Service is not a name that gets much attention outside government circles. What it manages is a different matter.
BFS handles:
- $200 billion in payments every single day
- 88 percent of all federal government disbursements
- 1.2 billion transactions per year, across more than 250 agencies
Every Social Security check, Medicare reimbursement, federal paycheck, tax refund, and foreign aid transfer moves through the same infrastructure. The data stored inside BFS systems covers virtually every American who has ever sent money to or received money from the federal government, including Social Security numbers, bank account details, home addresses, birth dates, and tax return information.
Why DOGE Actually Wanted Access to Treasury Systems
Elon Musk’s public justification for pushing into Treasury systems was fraud. He posted on X that Treasury payment officers were “instructed always to approve payments, even to known fraudulent or terrorist groups. They literally never denied a payment in their entire career.”
The Katz email, reviewed by The New York Times, told a different story. The push for BFS access, at least in its earliest form, was about stopping a specific set of congressionally-authorized payments to a specific agency: USAID. Katz wrote that Tom Krause and his team needed access so they could “pause U.S.A.I.D.” payments.
That was the original ask that Lebryk refused. After his departure, the access came through.
Who DOGE Sent Inside the Payment System
Two individuals were installed at Treasury as Special Government Employees:
Tom Krause is the CEO of Cloud Software Group, the company that owns Citrix and NetScaler. He retained his private-sector CEO role while leading DOGE operations inside Treasury. His company is backed by Vista Private Equity, whose CEO Robert F. Smith agreed to pay $139 million in 2020 to resolve federal allegations of international tax fraud.
Marko Elez, 25, had previously worked at SpaceX and X, both Musk companies. Court records confirmed that Elez was given full read-write administrative access to BFS systems. Treasury had told Congress his access was read-only.
Reports from Wired and Talking Points Memo at the time said Elez had started rewriting BFS code. A sworn affidavit from career Treasury IT official Joseph Gioeli disputed that, stating no alterations were made to payment data. What the access level would have allowed him to do is not disputed.
The Data Breach That Was Confirmed in Court
Elez’s access was revoked on February 5. He resigned the following day after the Wall Street Journal surfaced old racist social media posts. Musk, Vice President Vance, and President Trump all called for his reinstatement publicly.
A forensic audit of his Treasury laptop and email account, ordered as part of ongoing litigation, found what the broader access dispute had not settled.
BFS Chief Privacy Officer David Ambrose, a 19-year career civil servant, confirmed in a sworn court filing that Elez sent an unencrypted spreadsheet containing personally identifiable information to two General Services Administration officials, without prior authorization and without using the required Form 7005. The spreadsheet included names, transaction types, and payment amounts.
Ambrose described the data as “low-risk PII” because Social Security numbers and birth dates were absent, but confirmed the transmission violated BFS data policy and likely the Privacy Act of 1974. Elez had received a formal cybersecurity and PII briefing days before sending it.
He was subsequently rehired at the Social Security Administration, then given read-only access to four Labor Department databases, and later partial access to HHS systems.
Three Courts, Three Cases, Three Different Outcomes
The legal response came simultaneously from three separate plaintiff groups in three federal jurisdictions:
| Court | Plaintiffs | Ruling | Status |
|---|---|---|---|
| D.C. District | Labor unions and retirees | March 5, 2026: Internal BFS sharing not a “final agency action” under the APA. Summary judgment for Treasury. | Closed, Treasury prevailed |
| SDNY (New York) | 19 state AGs led by NY AG Letitia James | Feb. 21, 2025: Preliminary injunction, process “chaotic and haphazard.” Lifted May 27, 2025. | On appeal at Second Circuit |
| Maryland | AFT, labor unions, veterans | Preliminary injunction (March 2025) vacated by the 4th Circuit (Aug. 12, 2025) | DOGE access cleared |
The arguments differed by case. The 19-state coalition in New York focused on the rushed, undocumented nature of the onboarding process and the unauthorized disclosure of Americans’ private financial data. The union plaintiffs in D.C. argued that Treasury’s data-sharing decision constituted reviewable final agency action under the Administrative Procedure Act. The Maryland plaintiffs challenged access across Treasury, OPM, and the Education Department simultaneously.
“Chaotic and Haphazard”: The February 21 Ruling
Of all the orders in this dispute, Judge Jeannette Vargas’s February 21, 2025 preliminary injunction in the Southern District of New York set the most specific record.
In a 64-page opinion, Vargas found the process of granting DOGE access was “rushed and undertaken under political pressure.” The court noted the official record was “silent as to what vetting or security clearance process they went through prior to their appointment.” She found a “real possibility” that sensitive information had already been shared outside Treasury in potential violation of federal law, citing the Elez-to-GSA spreadsheet.
Vargas ordered Treasury to submit a certification by March 24, 2025, documenting proper vetting, security clearances, and mitigation procedures for every DOGE staffer with BFS access. On May 27, 2025, after Treasury filed that certification, she lifted the block and ruled new DOGE staffers would no longer need individual court approval for access, provided they completed the required training.
How Courts Then Shifted Toward the Government
The second half of 2025 moved differently.
On August 12, a 4th Circuit panel vacated the Maryland preliminary injunction in a 2-1 ruling, finding the district court had “abused its discretion.” The majority applied the Privacy Act’s intra-agency sharing provision, which permits records to be shared with employees who have a demonstrated need for them in performing their duties. That ruling built on a Supreme Court stay issued the previous month in a parallel Social Security Administration case, where the court found the government, not the plaintiffs, would be harmed if DOGE data access was blocked during litigation.
On March 5, 2026, Judge Colleen Kollar-Kotelly ruled in Alliance for Retired Americans v. Bessent that Treasury’s internal data sharing with DOGE staff was not a “final agency action” subject to APA review, and that the plaintiffs could not meet the demanding standard required for ultra vires relief because other legal remedies remained available under the Privacy Act and the Internal Revenue Code.
The Second Circuit has not ruled. Government brief: December 22, 2025. State response brief: March 23, 2026. No oral argument date has been set.
After Musk Left, the Presence Remained
On April 22, 2025, with Tesla’s quarterly profits down 71 percent year-over-year, Musk told investors his time at DOGE would “drop significantly” starting in May. He said the work was “mostly done.” Federal law limits Special Government Employees to 130 days per calendar year. He formally offboarded on May 28, 2025.
By November 2025, OPM Director Scott Kupor told Reuters that DOGE “doesn’t exist” as a centralized entity. DOGE’s own spokesperson told Federal News Network the organization still operates within the U.S. Digital Service, with Amy Gleason as acting administrator, and listed a full slate of active 2026 projects. The formal charter runs to July 4, 2026.
Inside Treasury, the presence had not faded. Sam Corcos, the Treasury Department’s DOGE-linked chief information officer, was administering coding screening tests to IRS employees through HackerRank in late 2025, per reporting by Wired and Fortune. Federal court filings from October 2025 documented approximately 1,446 Treasury Department employee terminations since January 20.
What the Record Shows Fourteen Months Later
The Treasury OIG audit launched in February 2025 has produced no public findings. The GAO’s separate review of DOGE’s digital footprint across Treasury, SSA, and OPM is similarly unreported. Both remain open as of April 2026.
The spending figures are public. Federal monthly outlays averaged $443.1 billion before January 2025. By October 2025, they stood at $442.9 billion, a 0.05 percent change, according to USAFacts. Musk’s projected savings figure moved from $2 trillion before the inauguration to $1 trillion after the election to $150 billion by April 2025.
On the revenue side, Treasury and IRS officials projected a drop of more than 10 percent in federal tax receipts by the April 15, 2025 filing deadline, attributing part of the shortfall to DOGE-driven workforce reductions. That figure represents more than $500 billion in projected lost federal revenue. The Partnership for Public Service estimated DOGE’s actions cost taxpayers more than $135 billion in 2025 alone through productivity losses and paid administrative leave.
The Second Circuit will eventually address whether the way access was granted to one of the most sensitive financial systems in the country was lawful. When it does, the record it will examine includes an internal email about freezing foreign aid, a sworn data breach disclosure, conflicting affidavits about what a 25-year-old engineer actually did inside the system, and a certification that unlocked everything. No argument date has been announced.
Court filings, sworn affidavits, and official records cited in this article were reported by The New York Times, the Associated Press, NPR, FedScoop, Fortune, Bloomberg, and the ABA Banking Journal.
