
Berulis: “We were directed not to… create an official report”
On March 10, Berulis found that controls in Microsoft Purview to prevent insecure or unauthorized access from mobile devices had been disabled, he wrote. “In addition, outside of expected baselines and with no corresponding approvals or records I could find I noted the following: an interface exposed to the public Internet, a few internal alerting and monitoring systems in the off state, and multi-factor authentication changed,” he wrote.
The team observed more odd activity in the ensuing weeks, Berulis wrote. Data was sent to “an unknown external endpoint,” but the network team was unable to obtain connection logs or determine what data was removed, he wrote. There were also “spikes in billing in Mission Systems related to storage input/output” associated with projects that could no longer be found in the NLRB system, indicating that “resources may have been deleted or short-lived,” he wrote.
During the week of March 24, an assistant CIO for security at the NLRB “concluded that following a review of data, we should report it” to US-CERT, the US Computer Emergency Readiness Team at the Cybersecurity and Infrastructure Security Agency (CISA), according to Berulis.
“Accordingly, we launched a formal review and I provided all evidence of what we deemed to be a serious, ongoing security breach or potentially illegal removal of personally identifiable information,” he wrote.
But on April 3 or 4, the assistant CIO “and I were informed that instructions had come down to drop the US-CERT reporting and investigation and we were directed not to move forward or create an official report,” Berulis wrote.
https://arstechnica.com/tech-policy/2025/04/government-it-whistleblower-calls-out-doge-says-he-was-threatened-at-home/


