National Labor Relations Board

President Trump illegally fires NLRB Chair Gwynne Wilcox and NLRB General Counsel Jennifer Abruzzo. This leaves the agency without quorum to act.

Employees at the NLRB are alarmed to see that DOGE has claiming it has cancelled the lease for their office in Buffalo, NY

Staffers at the NLRB are told that DOGE will be arriving at the agency the following week and that they have questions about the agency's network architecture  [The testimony only mentions that this communication happened sometime during that week]

After a journalist posts info that Jordan Wick's github profile is public, a staffer an NLRB notices a project named NxGenBdoorExtract which seemed to indicate a tool for exfiltrating data via a hidden back door from an NLRB system named NxGen.

A black SUV and police escort bring DOGE staff to the NLRB. They weren't introduced and didn't interact with IT staff directly.

The NLRB Assistant CIO conveys instructions that there are to be no logs or records made of account creation for DOGE staff and they are to be given "tenant"-level accounts with read/write/admin for all systems. These exceed existing permissions that would normally be used by auditors.

NLRB network staff notice the existence of an anomalous container on their network and expired storage tokens to deter analysis of what resources were accessed

NLRB network staff discover that a network watcher within their cloud environment was in the off state and not logging the creation of new network nodes

NLRB network staff see a large spike in outgoing network traffic from their network with no corresponding incoming traffic (as might be the case for web traffic). He also sees a surge in DNS requests which might be used to hide tunnels for stealing data.

NLRB network staff discover a recently created and deleted account with a DOGE-specific name DogeSA_2d5c3e0446f9@nlrb.microsoft.com that has seemingly been configured to support automated scripts accessing NLRB's cloud

After various users reported login problems to the service desk, networking staff at NLRB discover that certain conditional access policies had been updated. This was confirmed to not be any scheduled work.

Networking staff at NLRB discovered that 3 Github libraries were downloaded in the prior 30 days that could be used for scraping high volumes of data and obscuring the source requests.

Networking staff at NLRB determines that 10GB of data was exfiltrated from the NxGen case management system and then from NLRB. It's possible this is the compressed size and represents many more records

There is further increase system utilization of the NxGen system and multiple attempts to connect to the system from an IP address in Russia using an account that was created only 15 minutes earlier by DOGE engineers at the agency.

NLRB networking staff detect another transfer of data to an external endpoint

NLRB networking observes a spike in billing records related to nonexistent systems, likely indicating resources that were short-lived or deleted to cover up tracks

NLRB networking staff make a formal report of the suspicious activity to US-CERT at CISA  [Source mentions it was on or about this date]

CISA informs NLRB networking staff that they should drop any investigation and not move forward on any reporting

On the day that NPR published its story with the NLRB whistleblower claims, the Deputy CIO of the agency, Eric Mark, suspends administrative access for all employees, locking the IT staff out of their ability to do their jobs

Justin Fox and Nate Cavanaugh are reportedly detailed from the GSA to work at the NLRB for the next few months.

The NLRB confirms that its Inspector General is looking into the allegations of improper network access and data theft by DOGE