Former USAID employees are still stuck with their work devices

President Donald Trump and Elon Musk’s slash-and-burn approach to the US government has thrown federal agencies into disarray, as thousands of civil servants have been dismissed from their jobs without rhyme or reason. But in the chaos of the cuts carried out by Musk’s pseudo-agency, the Department of Government Efficiency, some federal workers say the Trump administration is failing to do even basic offboarding to safeguard sensitive information on their work devices.

The result is a situation that experts warn is leaving civil servants, the people they worked with, and US government security at risk. In direct contradiction of federal guidelines, former employees have been forced to assume responsibility for preventing data leaks that could put local partners or the employees themselves in harm’s way, left with devices that have been all but abandoned by their higher-ups.

One of the agencies is the US Agency for International Development (USAID), which has seen 83 percent of its programs cut by the Trump administration. USAID employees abruptly dismissed by the Trump administration while working outside of the US are still stuck with government-issued computers and phones with no way to safely return them yet, The Verge has learned, and those devices can give them access to work accounts including email.

USAID has led humanitarian missions around the world since it was created in 1961, providing HIV treatment and responding to natural disasters, for example. Around two-thirds of USAID’s 10,000 employees are posted overseas, and recently terminated workers were told they’d get shipping labels to return equipment. An offboarding checklist, seen by The Verge, tells employees to “send back all government controlled items,” including computers and phones, and asks them to provide a physical address to receive a mailing slip. But some have been waiting more than a week since their last day at work to receive the slip. Others have been waiting since January, when the cuts began.

That delay makes each individual responsible for keeping devices secure to protect sensitive information. On top of that, some employees still have their diplomatic passports, which grant certain privileges and are supposed to be collected and canceled or destroyed when an employee’s assignment ends.

“If I lose my phone, it’s an issue. If I lose my diplomatic passport, it’s an issue. I’m ready to give these things back,” says a former USAID worker whom The Verge granted anonymity because of the risk of reprisal.

That person still has their work laptop, phone, diplomatic passport, and a personal identification verification (PIV) card that allows employees to log into USAID computers. They say that many of their former colleagues are in the same situation. The concern is that the devices could give people access to personnel records and information about contacts they work with in the country in which they were deployed. They might also expose bank details used to facilitate payments to partner organizations.

Even though this information isn’t classified, it could still create problems if it falls into the wrong hands. Locals could be targeted by their own governments for having worked with USAID, for instance. They also have to worry about scammers taking advantage of the chaos roiling US federal agencies. In the confusion over which programs have ended or survived DOGE cuts, partner organizations are reportedly wary of phishing emails falsely claiming that a canceled program will resume and requesting bank account details to begin payments.

“Unfortunately, these folks have been put [in an] unprecedented situation where they may or may not have access to the security support of the government, but yet they’re still responsible for maintaining the security of these devices wherever they’re going. So it’s really like a catch-22,” says Megan Stifel, chief strategy officer at the Institute for Security and Technology and executive director of the Ransomware Task Force.

For USAID employees on administrative leave, access to government systems is inconsistent, making compliance with any incoming agency instructions difficult, says Randy Chester, vice president for USAID at the American Foreign Service Association (AFSA), a union that represents American diplomats. Some people still are able to access email and parts of the intranet while others are locked out.

“The agency doesn’t even know how to turn off access to the systems for everyone that is on administrative leave,” Chester tells The Verge. “[USAID deputy administrator-designate] Pete Marocco and the supposed tech gurus from DOGE — they have no idea the breadth of who has access to systems or how to shut off everyone from the systems.”

Chester says he checks his government email twice a day so he can relay information to AFSA members who are being left in the dark by USAID under DOGE. The DOGE staff and Trump administration sometimes fail to send notices to employees’ personal emails, meaning that they don’t get updates because they can’t access their work accounts. Some staff on administrative leave, who are locked out of internal systems, worry they won’t even be able to retrieve their digital personnel files, especially after a top official ordered remaining staff to shred and burn physical USAID documents, including personnel files.

Conversely, terminated employees having work email access creates a more acute problem for the Trump administration since it keeps the door open for leaks, says a former government official whom The Verge also granted anonymity. And for any government employer, failing to cut off email access could allow people to send misleading emails falsely representing the government, says Ciaran Martin, a professor at the Blavatnik School of Government at the University of Oxford.

PIV cards issued to federal agency employees not only allow a person to log into their own personal device, they’re also typically used to enter government buildings and log into wifi or wired networks and enterprise accounts.

On Tuesday, a federal Judge ordered DOGE to reinstate access to email, payment, and security notification systems for current USAID workers. The judge found that DOGE was likely in violation of the constitution in its attempts to shut down the agency. The ruling also bars DOGE from moving forward with any other unilateral actions against USAID, including layoffs.

Security experts The Verge interviewed said that the Trump administration should have the ability to revoke access remotely. It did so already in February when it temporarily locked USAID workers out of their email accounts and IT systems. The former government official The Verge talked to also believes they should have the ability to wipe devices clean remotely. Doing so mitigates the risks associated with any employee losing their device or having it stolen. It just appears that the Trump administration has yet to take these steps.

In the meantime, the experts advise former employees against using their work devices even for personal use. Work-issued devices in general could let your employer see when you’ve logged into work or personal accounts, what files you’ve accessed, and what emails you’ve checked.

“I would not be having sensitive conversations around any of that equipment … I would put it in a microwave, the oven, get a faraday bag,” Stifel says, just in case their former employer has the capability to listen in by remotely accessing microphones on those devices.

Martin, on the other hand, says this is theoretically possible but practically unlikely, since the agency would need to have planned sophisticated intrusion operations in advance.

The State Department, which absorbed the remnants of USAID and now administers its remaining contracts, didn’t immediately answer questions from The Verge about why there are delays now in collecting workers’ equipment and revoking network access. However, The Verge learned that some former workers lost access to accounts after The Verge reached out to the State Department for comment.

DOGE says its mandate is to uncover “waste, fraud, and abuse” in federal agencies, but USAID workers say the chaos is actually wasting resources. Returned equipment is typically reallocated to future staff and partner organizations or sent to a secure disposal facility, following requirements outlined in the Code of Federal Regulations. When an agency determines that it no longer needs certain equipment, it might work with the General Services Administration (GSA) to wipe computers and transfer them to other federal agencies. If no federal agencies take equipment, it can be donated to state and local entities. Equipment is also sometimes sent for public auction. E-waste has to be carefully managed because it often contains hazardous materials like lead or mercury that might leach out of landfills. It’s illegal in many states and in Washington D.C. to toss certain electronic devices in the trash.

Chester says all of the roughly 10,000 USAID workers have a Dell laptop, 60 to 70 percent have an iPad, and about 50 percent have an iPhone issued by the government, amounting to millions of dollars in tech that’s being “flush[ed] down the toilet” while it’s unrecovered — not including equipment at partner organizations.

“They’re not able to sell that to other organizations or private individuals, they have to return it to the US government under a disposition plan,” Chester says. “Without a disposition plan, what is Chemonics or Save the Children supposed to do with the 150 computers they have in Malawi?”

The Office of the Inspector General at USAID might be waking up to the problem. “Assets still in-country without active U.S. control are at risk of looting, terrorism, or being seized by other parties, making it crucial to address their status and management promptly,” says a memorandum it issued on March 11th. It said it would initiate audits at overseas offices to “determine the status of USAID-funded physical assets” including equipment, vehicles, and warehoused inventory.

Soon after, USAID sent an email, which was obtained by The Verge, that tells staff to instruct partner organizations to submit inventory and disposal plans for program assets within 10 calendar days. It lists “IT and communications equipment containing sensitive data” as a critical security risk alongside armored vehicles. It says contracting and agreement officers should collaborate with Regional Security Officers and Diplomatic Technology offices to expedite and approve disposal plans for higher-risk items. Yet even after the email, some former employees haven’t received their shipping labels.

People working for USAID in the US have been able to return their equipment in person — but one former staffer told The Verge that even that process raised concerns. A worker whose program was recently cut describes a haphazard process of returning their laptop and gathering their personal belongings in late February. When they returned to the office to deposit their laptop, phone, and related equipment, they were surprised to see a person they didn’t recognize at a folding table, collecting laptops and placing them in giant rolling garbage bins. Some were stacked and some were strewn about, they say. Another former USAID worker recounts turning in their equipment and being told by a worker in the Ronald Reagan building that everything was being “destroyed.”

“They normally are pretty good about keeping track of equipment,” one of the former workers says. But this time, things felt off. “It felt like things could easily slip through the cracks.”