Article Details

The curious story of Uncle Sam's HR dept, a hastily set up email server, and fears of another cyber disaster. Lawsuit challenges effort to create federal-wide centralized inbox expected to be used for mass firings. Two anonymous US government employees have sued Uncle Sam's HR department – the Office of Personnel Management – claiming the Trump administration's rapid roll out of a new federal email system broke the law. The pair's complaint [PDF], filed Monday in a Washington DC district court, claims an effort to establish a single email address through which the OPM can communicate directly with all civilian federal employees – presumably to facilitate firing them – violated the E-Government Act of 2002. Usually, but not always, the OPM works with agencies and departments to set overall employment policies and guidance, and leaves those bodies to manage their staff, rather than messaging federal workers individually and directly. And, yes, this is the same OPM that had 22.1 million records on government employees and others stolen from it in 2014, likely by China, in a cyberattack. At the heart of this latest matter, it's alleged a lone on-premises server was hastily set up on the OPM's network to handle that central email inbox, and that a privacy impact assessment as required by law wasn't completed and published beforehand to ensure any staff data on that machine is protected – and that such an oversight was "intentional and willful." Given that staggering intrusion about a decade ago, such an assessment would not be a bad idea. Starting on January 23, 2025, according to the complaint, various federal agencies began notifying their employees via email that "the Office of Personnel Management (OPM) is testing a new capability allowing it to send important communications to ALL Federal employees from a single email address, HR@opm.gov." "If you ever receive communications from this address, it can be considered trusted," the messages added. Then, according to the lawsuit, came the emails from HR@opm.gov. The first, it's alleged, read: "This is a test of a new distribution and response list. Please reply ‘YES’ to this message." We're told staff were instructed to reply, which would give that HR@ inbox a massive list of all federal workers complying with the directive. A second email from HR@ followed on January 26, the lawsuit states, reading: This is the second test of a new email distribution and response list. The goal of these tests is to confirm that an email can be sent and replied to by all government employees. Please reply “Yes” to this email, regardless of whether you replied to the first test email. If you responded “Yes” to the first email: thank you. Then, with no irony, it added, we're told: "As a reminder, always check the From address to confirm that an email is from a legitimate government account and be careful about clicking on links, even when the email originates from the government." Well, a malicious email would say that, wouldn't it. The OPM said in a statement last week that it's testing this capability and aims to have it up and running as soon as this week. The complaint goes on to cite an unattributed Reddit post from a purported OPM employee that claims Melvin Brown, CIO of the agency, was axed one week into the job because he refused to set up an email system capable of reaching all government employees at once, since as mentioned above managing workers is traditionally left to individual departments. With him out of the way, we're told, a single mail server was installed to run the centralized sitting duck HR@opm.gov address. "An on-prem (on-site) email server was set up," the cited post says. "Someone literally walked into our building and plugged in an email server to our network to make it appear that emails were coming from OPM. It’s been the one sending those various 'test' messages you've all seen. "We think they're building a massive list of all federal employees to generate massive RIF [reduction in force aka layoffs] notices down the road." The White House on January 20, 2025, issued an executive order to overhaul the federal hiring process. Plugging in a new email server for the sole purpose of sending messages directly to every federal employee is an invitation to be hacked The Reddit post further contends that Trump loyalists have sent out messages under the name of OPM acting director Charles Ezell to gather information on government employees deemed a threat to their agenda. The dissent-finding missives are said to come with instructions to send replies to Amanda Scales, a former employee of billionaire Elon Musk's xAI who has been appointed chief of staff at OPM. Musk oversees the recently formed US Department of Government Efficiency Service (formerly USDS), which has been directed to make staff-cutting recommendations within 90 days. The lawyer acting for the plaintiffs, Kel McClanahan, told CNN, "Plugging in a new email server for the sole purpose of sending messages directly to every federal employee is an invitation to be hacked, and every employee out there needs to know how much of their data is at risk." Or as the complaint put it: "Plaintiffs are being materially harmed by this inaction because they are being denied information about how these systems – which will be rich in PII [personally identifiable information] about every employee of the US Executive Branch - are being designed and used. "Plaintiffs stand to continue to be harmed by this ongoing inaction in the future beyond the informational injury, since they will face a reasonably foreseeable risk that their PII will be unlawfully obtained from these unknown systems." The anonymous employees, who fear their data will be stolen in another attack on the email system, want Uncle Sam to perform and publish the required privacy assessments. A spokesperson for the OPM declined to comment on the record.