Two anonymous US government employees have sued Uncle Sam’s HR department – the Office of Personnel Management – claiming the Trump administration’s rapid roll out of a new federal email system broke the law.
The pair’s complaint [PDF], filed Monday in a Washington DC district court, claims an effort to establish a single email address through which the OPM can communicate directly with all civilian federal employees – some presume to facilitate firing them – violated the E-Government Act of 2002.
Usually, but not always, the OPM works with agencies and departments to set overall employment policies and guidance, and leaves those bodies to manage their staff, rather than messaging federal workers individually and directly. And, yes, this is the same OPM that had 20-odd million records on government employees and others stolen from it in 2014, likely by China, in a cyberattack.
At the heart of this latest matter, it’s alleged a lone on-premises server was hastily set up on the OPM’s network to handle that central email inbox, and that a privacy impact assessment as required by law wasn’t completed and published beforehand to ensure any staff data on that machine is protected – and that such an oversight was “intentional and willful.” Given that staggering intrusion about a decade ago, such an assessment might not be a bad idea.
Starting on January 23, 2025, according to the complaint, various federal agencies began notifying their employees via email that “the Office of Personnel Management (OPM) is testing a new capability allowing it to send important communications to ALL Federal employees from a single email address, HR@opm.gov.”
“If you ever receive communications from this address, it can be considered trusted,” the messages added.
Then, according to the lawsuit, came the emails from HR@opm.gov. The first, it’s alleged, read: “This is a test of a new distribution and response list. Please reply ‘YES’ to this message.” We’re told staff were instructed to reply, which would give that HR@ inbox a handy list of all federal workers complying with the directive.
A second email from HR@ followed on January 26, the lawsuit states, reading:
It added, we’re told: “As a reminder, always check the From address to confirm that an email is from a legitimate government account and be careful about clicking on links, even when the email originates from the government.”
The OPM said in a statement last week that it’s testing this capability and aims to have it up and running as soon as this week.
- Chinese snoops stole 60K State Department emails in that Microsoft email heist
- Stop us if you’ve heard this one: US government staff wildly oblivious to basic computer, info security safeguards
- Microsoft is a national security threat, says ex-White House cyber policy director
- This is how Elon’s Department of Government Efficiency will work – overwriting the US Digital Service
The complaint goes on to cite an unattributed Reddit post from a purported OPM employee that claims Melvin Brown, CIO of the agency, was axed one week into the job because he refused to set up an email system capable of reaching all government employees at once, since as mentioned above managing workers is traditionally left to individual departments. With him out of the way, we’re told, a single mail server was installed to run the centralized sitting duck HR@opm.gov address.
“An on-prem (on-site) email server was set up,” the cited post says. “Someone literally walked into our building and plugged in an email server to our network to make it appear that emails were coming from OPM. It’s been the one sending those various ‘test’ messages you’ve all seen.
“We think they’re building a massive list of all federal employees to generate massive RIF [reduction in force aka layoffs] notices down the road.”
The White House on January 20, 2025, issued an executive order to overhaul the federal hiring process.
Plugging in a new email server for the sole purpose of sendi