Lawsuit claims systems behind OPM governmentwide email blast are illegal, insecure
A lawsuit filed in federal court Monday alleges that the Office of Personnel Management set up an on-premise server to conduct last week’s mass email blast to federal employees and store information it received in response without doing a privacy impact assessment on the system as required by law.
Filed by two anonymous federal employees in the U.S. District Court for the District of Columbia, the class-action lawsuit calls for OPM to stop the use of the system until the agency can show that it’s lawfully conducted a privacy assessment.
The two employees accuse OPM officials of deploying the new server — which is said to be “retaining information about every employee of the U.S. Executive Branch” or potentially doing so through systems linked to it — in a “rapid” manner without building proper security measures into it or assessing the privacy impacts as required by the E-Government Act of 2002.
On Friday, OPM sent a mass email to employees across the federal government — though not every federal employee received it, including one of the plaintiffs in the lawsuit — to test “a new distribution and response list,” asking recipients to reply “yes.” Over the weekend, federal employees received another test “to confirm that an email can be sent and replied to by all government employees.” Some agency and department heads gave guidance to their employees that the emails from OPM could be trusted.
The complaint goes on to say: “OPM has not conducted a PIA for this unknown email server or any system which collects or maintains Personally Identifiable Information (“PII”) obtained from its use,” nor has a chief information officer or equivalent agency official signed off on an assessment. Finally, such an assessment would need to be made publicly available for review.
“OPM’s failure to take these steps constitutes agency action unlawfully withheld or unreasonably delayed in violation of 5 U.S.C. § 706(1),” the lawsuit states. “Plaintiffs are being materially harmed by this inaction because they are being denied information about how these systems — which will be rich in PII about every employee of the U.S. Executive Branch — are being designed and used.”
As a measure of relief, the plaintiffs call for an injunction of the systems involved in the matter until OPM conducts the required privacy assessment.
The unnamed plaintiffs also share concerns about the security of the server or any systems used in the mass email operation, calling into question the encryption of email communications involved.
The plaintiffs cite the 2015 OPM hack that impacted more than 21 million federal employees as an example of what can go awry when one system, without adequate security controls, contains so much sensitive information.
“Standard email is not encrypted, and it is common practice among hackers — including hackers affiliated with hostile foreign services — to begin attempting to access a new U.S. Government device as soon as they learn of its deployment,” the lawsuit reads.
It continued: “Plaintiffs stand to continue to be harmed by this ongoing inaction in the future beyond the informational injury, since they will face a reasonably foreseeable risk that their PII will be unlawfully obtained from these unknown systems, much as the data of millions of federal employees were unlawfully obtained from another OPM server in 2014.”
The whistleblowers cite “an OPM employee for nearly a decade and a Federal Employee for almost 20 years” who posted detailed information to a union chat as the source of their information. That message also alleges that Melvin Brown II, who was replaced as OPM CIO last week after the Trump administration took office, “was pushed aside just one week into his tenure because he refused to setup email lists to send out direct communications to all career civil servants.”
The union chat message, which has also been circulated on Reddit, claims that OPM employees are being instructed to send lists of email addresses that respond to the message blasts to a woman named Amanda Scales, who has worked for Elon Musk. President Donald Trump previously named the tech billionaire the leader of the new Department of Government Efficiency.
Last week, Trump issued an executive order embedding the DOGE as part of the U.S. Digital Service and renaming the White House digital team the U.S. DOGE Service. As part of that overhaul, Trump also called for the federal agency leaders to “take all necessary steps, in coordination with the USDS Administrator and to the maximum extent consistent with law, to ensure USDS has full and prompt access to all unclassified agency records, software systems, and IT systems.”
OPM last week also created an email account meant to collect reports of suspected diversity, equity, and inclusion initiatives. In a Jan. 21 memo, OPM directed agencies to collect reports of any efforts to disguise such initiatives.
