Capitol Hill and Trump Administration sources told the Washington Reporter that the federal government’s identity verification system is a “ticking time bomb” that puts hundreds of millions of Americans’ private data at risk.

Login.gov is the federal program that serves as the identity verification system for accessing most federal benefits. The program is operated by the General Services Administration (GSA) and is relied on by Americans for student loans, veterans’ benefits, and Social Security.

The program is widely used throughout the government but it has been harshly criticized for security failures, particularly in light of the vast amounts of personal data it handles.

Both administration officials and oversight agencies like the Government Accountability Office (GAO) have documented a myriad of security shortcomings with Login.gov. In 2024, President Donald Trump’s former IRS Commissioner Charles Rettig criticized the program for “fail[ing] to meet those federal standards for digital identity and security.” Health and Human Services (HHS) removed Login.gov after hackers stole millions from HHS grantees.

Additionally, the Government Accountability Office’s 2024 report showed that Login.gov fails to take basic precautions to ensure users’ data is not compromised.

Congressional officials are especially concerned about Login.gov’s vulnerabilities in light of the Chinese Communist Party ramping up its hacking attacks on U.S. data systems.

Sen. Josh Hawley (R., Mo.) said that the extent of China’s hacking is “breathtaking,” and targets personal data like “text messages, their voicemail, their phone calls.”

“It’s very bad, it’s very, very bad, and it is ongoing,” Hawley said.

Secretary of State and former Senate Intelligence Committee Ranking Member Marco Rubio said that a 2024 hack from China — the Salt Typhoon campaign — was “the most disturbing and widespread incursion into our telecommunications systems in the history of the world, not just the country, because of how massive our telecommunications systems [are].”

In March 2025, the Department of Justice charged 12 Chinese Contract Hackers for a “global computer intrusion campaign.”

“The Chinese Communist Party is absolutely trying to steal private data, and it's unconscionable to fail to take safeguards,” a Trump administration official told the Reporter. “Especially for something as fundamental as Social Security numbers.”

A senior Senate aide told the Reporter that it is “incredible that, at the same time China has gone into overdrive in cyber warfare against the U.S., the government is using an antiquated, inadequate verification program for literally every senior on Social Security.”

“This is a ticking time bomb,” the senior aide said. “If Login.gov fails, that hack will make every previous data breach look like a Sunday School picnic.”

A second Capitol Hill source told the Reporter that the “Biden administration didn’t take cybersecurity seriously because they were weak on China” as well as “everything else.”

“Expect oversight hearings on Login.gov so members of Congress can try to fix this before all our constituents have their data stolen by the CCP,” the source said.

With an increased focus on preventing hacking from Chinese-based entities, Congress is expected to take action to decrease the chance of another incident like the 2015 Office of Personnel Management (OPM) data breach.