The curious story of Uncle Sam's HR dept, a hastily set up email server, and fears of another cyber disaster

Two anonymous US government employees have sued Uncle Sam's HR department – the Office of Personnel Management – claiming the Trump administration's rapid roll out of a new federal email system broke the law.

The pair's complaint [PDF], filed Monday in a Washington DC district court, claims an effort to establish a single email address through which the OPM can communicate directly with all civilian federal employees – some presume to facilitate firing them – violated the E-Government Act of 2002.

Usually, but not always, the OPM works with agencies and departments to set overall employment policies and guidance, and leaves those bodies to manage their staff, rather than messaging federal workers individually and directly. And, yes, this is the same OPM that had 20-odd million records on government employees and others stolen from it in 2014, likely by China, in a cyberattack.

At the heart of this latest matter, it's alleged a lone on-premises server was hastily set up on the OPM's network to handle that central email inbox, and that a privacy impact assessment as required by law wasn't completed and published beforehand to ensure any staff data on that machine is protected – and that such an oversight was "intentional and willful." Given that staggering intrusion about a decade ago, such an assessment might not be a bad idea.

Starting on January 23, 2025, according to the complaint, various federal agencies began notifying their employees via email that "the Office of Personnel Management (OPM) is testing a new capability allowing it to send important communications to ALL Federal employees from a single email address, HR@opm.gov."

"If you ever receive communications from this address, it can be considered trusted," the messages added.

Then, according to the lawsuit, came the emails from HR@opm.gov. The first, it's alleged, read: "This is a test of a new distribution and response list. Please reply ‘YES’ to this message." We're told staff were instructed to reply, which would give that HR@ inbox a handy list of all federal workers complying with the directive.

A second email from HR@ followed on January 26, the lawsuit states, reading:

It added, we're told: "As a reminder, always check the From address to confirm that an email is from a legitimate government account and be careful about clicking on links, even when the email originates from the government."

The OPM said in a statement last week that it's testing this capability and aims to have it up and running as soon as this week.

• Chinese snoops stole 60K State Department emails in that Microsoft email heist
• Stop us if you've heard this one: US government staff wildly oblivious to basic computer, info security safeguards
• Microsoft is a national security threat, says ex-White House cyber policy director
• This is how Elon's Department of Government Efficiency will work – overwriting the US Digital Service

The complaint goes on to cite an unattributed Reddit post from a purported OPM employee that claims Melvin Brown, CIO of the agency, was axed one week into the job because he refused to set up an email system capable of reaching all government employees at once, since as mentioned above managing workers is traditionally left to individual departments. With him out of the way, we're told, a single mail server was installed to run the centralized sitting duck HR@opm.gov address.

"An on-prem (on-site) email server was set up," the cited post says. "Someone literally walked into our building and plugged in an email server to our network to make it appear that emails were coming from OPM. It’s been the one sending those various 'test' messages you've all seen.

"We think they're building a massive list of all federal employees to generate massive RIF [reduction in force aka layoffs] notices down the road."

The White House on January 20, 2025, issued an executive order to overhaul the federal hiring process.

Plugging in a new email server for the sole purpose of sending messages directly to every federal employee is an invitation to be hacked

The Reddit post further contends that Trump loyalists have sent out messages under the name of OPM acting director Charles Ezell to gather information on government employees deemed a threat to their agenda. The dissent-finding missives are said to come with instructions to send replies to Amanda Scales, a former employee of billionaire Elon Musk's xAI who has been appointed chief of staff at the OPM. It's said that folks from the Tesla tycoon's businesses – xAI, the Boring Company, and Neuralink – plus Trump-backing Peter Thiel's Palantir are now among those at the top of the OPM pulling the strings.

Musk oversees the recently formed US Department of Government Efficiency Service (formerly USDS), which has been directed to make staff-cutting recommendations within 90 days. The White House has also reportedly offered buyouts to nearly every federal worker.

A lawyer acting for the plaintiffs, Kel McClanahan, told CNN, "Plugging in a new email server for the sole purpose of sending messages directly to every federal employee is an invitation to be hacked, and every employee out there needs to know how much of their data is at risk."

Or as the complaint put it: "Plaintiffs are being materially harmed by this inaction because they are being denied information about how these systems – which will be rich in PII [personally identifiable information] about every employee of the US Executive Branch - are being designed and used.

The anonymous employees, who fear their data may be stolen from the email system, want Uncle Sam to perform and publish the required privacy assessments.

"Plaintiffs stand to continue to be harmed by this ongoing inaction in the future beyond the informational injury, since they will face a reasonably foreseeable risk that their PII will be unlawfully obtained from these unknown systems," their complaint reads.

A spokesperson for the OPM declined to comment on the record. ®