The agency's statement says that PII is secure but that the complaint included internal emails and documents with info about the agency's systems and employees. That's not contradictory.

I suspect the whistleblower is correct, but I don't think it's proven to the point where we can confidently state that "it happened." SSA isn't trying to dispute the method, they're trying to dispute the fundamental claim.