--- alias: - NLRB data breach - Berulis disclosure category: Modern Incident created: 2026-06-18 location: National Labor Relations Board (federal systems) start: 2025 summary: The NLRB data exfiltration was a 2025 incident in which Department of Government Efficiency engineers accessed National Labor Relations Board systems and exfiltrated large volumes of sensitive data on union organizing and labor complaints, followed by multiple blocked login attempts from a Russian IP address, disclosed by NLRB cybersecurity whistleblower Daniel Berulis in April 2025. tags: - Event - NLRB - DOGE - DanielBerulis - Whistleblower - DataExfiltration - Russia - ElonMusk - UnionData updated: 2026-06-18 --- The NLRB data exfiltration was a 2025 incident in which engineers from the Department of Government Efficiency (DOGE) accessed National Labor Relations Board (NLRB) systems and exfiltrated large volumes of sensitive data including union-organizing and labor-complaint records. The exfiltration was followed by multiple blocked login attempts to NLRB systems from an IP address in [Russia](/places/russia/), raising the documented concern that the exfiltrated data had been exposed to foreign adversaries. Daniel Berulis, an NLRB cybersecurity staffer, disclosed the incident in a sworn affidavit in April 2025, represented by Andrew Bakaj of Whistleblower Aid.[^1][^2][^3] ### The DOGE Access and the Data Exfiltration Berulis documented in his sworn affidavit that DOGE engineers accessed NLRB systems using methods his affidavit characterized as secretive and suspicious. The access coincided with unusual large data outflows from NLRB systems. The exfiltrated data included records related to union-organizing campaigns and labor complaints, which is the NLRB's core case-management data and which contains identifying information on workers involved in organizing activity, the employers they filed against, and the status of the cases.[^1][^2][^4] The data outflow was documented in the NLRB's own system logs, which Berulis reviewed as part of his cybersecurity role. The volume and pattern of the outflows were inconsistent with normal NLRB operations, and the DOGE engineers' access methods (which Berulis described as bypassing normal access controls) were inconsistent with the standard federal-system-access protocols. The Krebs on Security reporting (April 2025) provided the technical detail on the outflow pattern and the access methods.[^2] ### The Russian IP Access Attempts Following the DOGE access, NLRB systems logged multiple blocked login attempts from an IP address in Russia. The timing of the Russian attempts (immediately following the DOGE exfiltration) and the targeting of the systems DOGE had accessed produced the documented concern that the exfiltrated data had been transmitted to or made accessible to a Russian endpoint. The Nextgov/FCW reporting (April 2025) documented the Russian IP attempts and their temporal relationship to the DOGE access.[^3][^5] The Russian IP access attempts are the documented datum that connects the [Elon Musk](/people/elon-musk/)-led DOGE to the broader [Buma](/people/jonathan-buma/)-documented pattern of Russian-intelligence interest in U.S. technology and government principals. The Buma disclosures (May 2025) on the GRU targeting of Musk, the documented Musk-Putin contact channel (WSJ October 2024), and the NLRB Russian-IP attempts together constitute the evidentiary set on the question of Russian access to federal data through the DOGE channel.[^6] ### The Berulis Disclosure and the Aftermath Berulis came forward in April 2025 with a sworn affidavit through Whistleblower Aid, represented by chief counsel Andrew Bakaj. NPR, PBS NewsHour, Krebs on Security, and Nextgov/FCW each published detailed reporting on the disclosure in April 2025. VitalLaw characterized the incident as an "alarming data breach" that "might have exposed agency data to foreign adversaries."[^1][^2][^3][^4][^5] After Musk publicly called Berulis a criminal on X, Berulis's brake lines were cut. Berulis is suing Musk for defamation. The physical intimidation of a federal cybersecurity whistleblower who disclosed the Russian-IP-connected exfiltration of union-organizing data is part of the documented aftermath of the disclosure.[^7] [^1]: "Whistleblower details how DOGE may have taken sensitive NLRB data." *NPR,* April 15, 2025. https://www.npr.org/2025/04/15/nx-s1-5355896/doge-nlrb-elon-musk-spacex-security [^2]: "Whistleblower: DOGE Siphoned NLRB Case Data." *Krebs on Security,* April 2025. https://krebsonsecurity.com/2025/04/whistleblower-doge-siphoned-nlrb-case-data/ [^3]: "User with Russian IP address tried to log into NLRB systems following DOGE access, whistleblower says." *Nextgov/FCW,* April 2025. https://www.nextgov.com/cybersecurity/2025/04/user-russian-ip-address-tried-log-nlrb-systems-following-doge-access-whistleblower-says/404574/ [^4]: "DOGE Caused 'Alarming' Data Breach at NLRB, Whistleblower Says." *VitalLaw,* April 2025. https://www.vitallaw.com/news/doge-caused-alarming-data-breach-at-nlrb-whistleblower-says/cspd0179fa3355f64546db87b404df22f7725f [^5]: "DOGE's Unlawful Plundering of Agency Systems." *Whistleblower Aid.* http://whistlebloweraid.org/case-study/doges-unlawful-plundering-of-agency-systems/ [^6]: "FBI whistleblower claims he tried to get to Musk to warn him he was being targeted by Russia." *The Guardian,* May 22, 2025. https://www.theguardian.com/us-news/ng-interactive/2025/may/22/fbi-whistleblower-musk-russia ; "Elon Musk's secret talks with Putin ramped up during his Twitter takeover: WSJ report." *CNBC,* October 25, 2024, on the *Wall Street Journal* report of Musk's regular contact with Putin since late 2022. https://www.cnbc.com/2024/10/25/elon-musk-and-putin-talks-ramped-up-during-twitter-takeover-wsj.html [^7]: "Musk, DOGE, and the Whistleblower's Lawsuit Over Cut Brakes." *FindLaw,* 2026, on Berulis's defamation suit against Musk and the tampered brake lines following Musk's April 2025 X posts. https://www.findlaw.com/legalblogs/courtside/musk-doge-and-the-whistleblowers-lawsuit-over-cut-brakes/