Lawsuit claims systems behind OPM governmentwide email blast are illegal, insecure | FedScoop<\/title> <meta name=\"description\" content=\"A lawsuit filed in federal court Monday alleges that the Office of Personnel Management set up an on-premise server to conduct last week\u2019s mass email blast to federal employees and store information it received in response without doing a privacy impact assessment on the system as required by law.\"> <link rel=\"canonical\" href=\"https:\/\/fedscoop.com\/opm-email-federal-workforce-lawsuit-server-privacy-security\/\"> <meta property=\"og:locale\" content=\"en_US\"> <meta property=\"og:type\" content=\"article\"> <meta property=\"og:title\" content=\"Lawsuit claims systems behind OPM governmentwide email blast are illegal, insecure\"> <meta property=\"og:description\" content=\"A pair of whistleblowers believe the office skirted the law by not conducting a privacy impact assessment for an alleged \u201con-prem\u201d server used to send mass emails to federal employees and store information from responses.\"> <meta property=\"og:url\" content=\"https:\/\/fedscoop.com\/opm-email-federal-workforce-lawsuit-server-privacy-security\/\"> <meta property=\"og:site_name\" content=\"FedScoop\"> <meta property=\"article:published_time\" content=\"2025-01-28T16:57:44+00:00\"> <meta property=\"article:modified_time\" content=\"2025-01-28T17:16:20+00:00\"> <meta property=\"og:image\" content=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/lawsuit-claims-systems-behind-opm-governmentwide-email-blast-are-illegal-insecure-2.jpg\"> <meta property=\"og:image:width\" content=\"488\"> <meta property=\"og:image:height\" content=\"310\"> <meta property=\"og:image:type\" content=\"image\/jpeg\"> <meta name=\"author\" content=\"Billy Mitchell\"> <meta name=\"twitter:card\" content=\"summary_large_image\">  <link rel=\"dns-prefetch\" href=\"\/\/securepubads.g.doubleclick.net\">\n<link rel=\"dns-prefetch\" href=\"\/\/use.typekit.net\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"FedScoop \u00bb Feed\" href=\"https:\/\/fedscoop.com\/feed\/\">\n<link rel=\"alternate\" type=\"application\/rss+xml\" title=\"FedScoop \u00bb Comments Feed\" href=\"https:\/\/fedscoop.com\/comments\/feed\/\"> <link rel=\"stylesheet\" id=\"all-css-2\" href=\"https:\/\/fedscoop.com\/wp-includes\/css\/dist\/block-library\/style.min.css?m=1732206022g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-6\" href=\"https:\/\/fedscoop.com\/wp-content\/mu-plugins\/search\/elasticpress\/dist\/css\/related-posts-block-styles.min.css?m=1736472017g\" type=\"text\/css\" media=\"all\"> <link rel=\"stylesheet\" id=\"all-css-8\" href=\"https:\/\/fedscoop.com\/wp-content\/themes\/scoopnewsgroup\/dist\/css\/frontend.css?m=1737070850g\" type=\"text\/css\" media=\"all\">\n<link rel=\"stylesheet\" id=\"typekit-css\" href=\"https:\/\/use.typekit.net\/itk2qbh.css?ver=cc5cb8dd0a9ba2b865c4\" media=\"all\"> <link rel=\"https:\/\/api.w.org\/\" href=\"https:\/\/fedscoop.com\/wp-json\/\"><link rel=\"alternate\" title=\"JSON\" type=\"application\/json\" href=\"https:\/\/fedscoop.com\/wp-json\/wp\/v2\/posts\/82819\"><link rel=\"EditURI\" type=\"application\/rsd+xml\" title=\"RSD\" href=\"https:\/\/fedscoop.com\/xmlrpc.php?rsd\">\n<meta name=\"generator\" content=\"WordPress 6.7.1\">\n<link rel=\"shortlink\" href=\"https:\/\/fedscoop.com\/?p=82819\">\n<link rel=\"alternate\" title=\"oEmbed (JSON)\" type=\"application\/json+oembed\" href=\"https:\/\/fedscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Ffedscoop.com%2Fopm-email-federal-workforce-lawsuit-server-privacy-security%2F\">\n<link rel=\"alternate\" title=\"oEmbed (XML)\" type=\"text\/xml+oembed\" href=\"https:\/\/fedscoop.com\/wp-json\/oembed\/1.0\/embed?url=https%3A%2F%2Ffedscoop.com%2Fopm-email-federal-workforce-lawsuit-server-privacy-security%2F&format=xml\">   <link rel=\"icon\" href=\"https:\/\/fedscoop.com\/wp-content\/uploads\/sites\/5\/2023\/01\/cropped-fs_favicon-3.png?w=32\" sizes=\"32x32\">\n<link rel=\"icon\" href=\"https:\/\/fedscoop.com\/wp-content\/uploads\/sites\/5\/2023\/01\/cropped-fs_favicon-3.png?w=192\" sizes=\"192x192\">\n<link rel=\"apple-touch-icon\" href=\"https:\/\/fedscoop.com\/wp-content\/uploads\/sites\/5\/2023\/01\/cropped-fs_favicon-3.png?w=180\">\n<meta name=\"msapplication-TileImage\" content=\"https:\/\/fedscoop.com\/wp-content\/uploads\/sites\/5\/2023\/01\/cropped-fs_favicon-3.png?w=270\"> <\/head><body class=\"post-template-default single single-post postid-82819 single-format-standard\" id=\"readabilityBody\"> <a href=\"https:\/\/fedscoop.com\/opm-email-federal-workforce-lawsuit-server-privacy-security\/#main\" class=\"skip-to-content-link visually-hidden-focusable\">Skip to main content<\/a> <\/p>\n<div class=\"ad ad--top ad--top-desktop\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p> <main id=\"main\" role=\"main\" tabindex=\"-1\"> <\/p>\n<div class=\"ad ad--top ad--top-mobile\">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<section id=\"stickybar\" class=\"stickybar stickybar--newsletter js-stickybar\" readability=\"0.82\"> <button class=\"stickybar__close js-stickybar-close\" aria-controls=\"stickybar\"> <svg class=\"icon icon--close\" width=\"21\" height=\"22\" viewBox=\"0 0 21 22\" fill=\"none\"><path d=\"m.822.518-.805.805L9.695 11 .017 20.678l.805.805 9.678-9.678 9.677 9.678.806-.805L11.305 11l9.678-9.677-.806-.805-9.677 9.677L.822.518Z\" fill=\"currentColor\" \/><\/svg> <span class=\"visually-hidden\">Close<\/span> <\/button> <\/section>\n<article class=\"single-article content\">\n<div class=\"single-article__container js-single-article-content\">\n<header class=\"single-article__header \" readability=\"26.146422628952\">\n<div class=\"single-article__header-content\" readability=\"35.602385685885\">\n<p> A pair of whistleblowers believe the office skirted the law by not conducting a privacy impact assessment for an alleged \u201con-prem\u201d server used to send mass emails to federal employees and store information from responses. <\/p>\n<p>  <br \/>\n<audio id=\"audio-player\" src=\"https:\/\/wp-tts-cdn.api.scpnewsgrp.com\/fedscoop\/82819\/english.openai.mp3\"><\/audio> <\/p>\n<div readability=\"11\">\n<div>\n<p>Listen to this article<\/p>\n<p>  <\/p>\n<p>0:00<\/p>\n<\/p><\/div>\n<p>  <\/p>\n<p> <span id=\"tts-tooltip\">Learn more.<\/span> <span> This feature uses an automated voice, which may result in occasional errors in pronunciation, tone, or sentiment. <\/span> <\/p>\n<\/div>\n<p>  <\/div>\n<div class=\"single-article__cover-wrap\">\n<figure class=\"single-article__cover\"> <img data-recalc-dims=\"1\" fetchpriority=\"high\" width=\"488\" height=\"310\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/lawsuit-claims-systems-behind-opm-governmentwide-email-blast-are-illegal-insecure.jpg?resize=488%2C310&ssl=1\" class=\"single-article__cover-image wp-post-image\" alt decoding=\"async\" fetchpriority=\"high\" srcset=\"https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/lawsuit-claims-systems-behind-opm-governmentwide-email-blast-are-illegal-insecure-2.jpg 488w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/lawsuit-claims-systems-behind-opm-governmentwide-email-blast-are-illegal-insecure-2.jpg?resize=300,191 300w, https:\/\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/lawsuit-claims-systems-behind-opm-governmentwide-email-blast-are-illegal-insecure-2.jpg?resize=264,168 264w\" sizes=\"(max-width: 488px) 100vw, 488px\"><figcaption> A screenshot of the first OPM test email sent to employees across the federal government Jan. 24. <\/figcaption><\/figure>\n<\/p><\/div>\n<\/header>\n<div class=\"single-article__content\">\n<div class=\"single-article__content-inner has-drop-cap\"> <html readability=\"44.843755428174\"><body readability=\"91.832045949693\"><\/p>\n<p>A lawsuit filed in federal court Monday alleges that the Office of Personnel Management set up an on-premise server to conduct last week\u2019s mass email blast to federal employees and store information it received in response without doing a privacy impact assessment on the system as required by law.<\/p>\n<p>Filed by two anonymous federal employees in the U.S. District Court for the District of Columbia, <a href=\"https:\/\/storage.courtlistener.com\/recap\/gov.uscourts.dcd.276820\/gov.uscourts.dcd.276820.1.0.pdf\">the class-action lawsuit<\/a> calls for OPM to stop the use of the system until the agency can show that it\u2019s lawfully conducted a privacy assessment.<\/p>\n<p>The two employees accuse OPM officials of deploying the new server \u2014 which is said to be \u201cretaining information about every employee of the U.S. Executive Branch\u201d or potentially doing so through systems linked to it \u2014 in a \u201crapid\u201d manner without building proper security measures into it or assessing the privacy impacts as required by the E-Government Act of 2002. <\/p>\n<p>On Friday, OPM sent a mass email to employees across the federal government \u2014 though not every federal employee received it, including one of the plaintiffs in the lawsuit \u2014 to test \u201ca new distribution and response list,\u201d asking recipients to reply \u201cyes.\u201d Over the weekend, federal employees received another test \u201cto confirm that an email can be sent and replied to by all government employees.\u201d Some agency and department heads gave guidance to their employees that the emails from OPM could be trusted.<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>The complaint goes on to say: \u201cOPM has not conducted a PIA for this unknown email server or any system which collects or maintains Personally Identifiable Information (\u201cPII\u201d) obtained from its use,\u201d nor has a chief information officer or equivalent agency official signed off on an assessment. Finally, such an assessment would need to be made publicly available for review.<\/p>\n<p>\u201cOPM\u2019s failure to take these steps constitutes agency action unlawfully withheld or unreasonably delayed in violation of 5 U.S.C. \u00a7 706(1),\u201d the lawsuit states. \u201cPlaintiffs are being materially harmed by this inaction because they are being denied information about how these systems \u2014 which will be rich in PII about every employee of the U.S. Executive Branch \u2014 are being designed and used.\u201d<\/p>\n<p>As a measure of relief, the plaintiffs call for an injunction of the systems involved in the matter until OPM conducts the required privacy assessment.<\/p>\n<p>The unnamed plaintiffs also share concerns about the security of the server or any systems used in the mass email operation, calling into question the encryption of email communications involved. <\/p>\n<p>The plaintiffs cite <a href=\"https:\/\/fedscoop.com\/opm-hack-investigation\/\">the 2015 OPM hack that impacted more than 21 million federal employees<\/a> as an example of what can go awry when one system, without adequate security controls, contains so much sensitive information. <\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>\u201cStandard email is not encrypted, and it is common practice among hackers \u2014 including hackers affiliated with hostile foreign services \u2014 to begin attempting to access a new U.S. Government device as soon as they learn of its deployment,\u201d the lawsuit reads. <\/p>\n<p>It continued: \u201cPlaintiffs stand to continue to be harmed by this ongoing inaction in the future beyond the informational injury, since they will face a reasonably foreseeable risk that their PII will be unlawfully obtained from these unknown systems, much as the data of millions of federal employees were unlawfully obtained from another OPM server in 2014.\u201d<\/p>\n<p>The whistleblowers cite \u201can OPM employee for nearly a decade and a Federal Employee for almost 20 years\u201d who posted detailed information to a union chat as the source of their information. That message also alleges that <a href=\"https:\/\/fedscoop.com\/melvin-brown-named-opm-chief-information-officer\/\">Melvin Brown II<\/a>, who was <a href=\"https:\/\/fedscoop.com\/melvin-brown-ii-swapped-out-opm-chief-information-officer\/\">replaced as OPM CIO last week<\/a> after the Trump administration took office, \u201c\u200b\u200bwas pushed aside just one week into his tenure because he refused to setup email lists to send out direct communications to all career civil servants.\u201d <\/p>\n<p>The union chat message, which has also been circulated on Reddit, claims that OPM employees are being instructed to send lists of email addresses that respond to the message blasts to a woman named Amanda Scales, who has worked for Elon Musk. President Donald Trump previously named the tech billionaire the <a href=\"https:\/\/fedscoop.com\/doge-it-modernization-federal-agencies-gao-report\/\">leader of the new Department of Government Efficiency<\/a>. <\/p>\n<p>Last week, Trump issued an executive order <a href=\"https:\/\/fedscoop.com\/federal-it-elon-musk-doge-us-digital-service\/\">embedding the DOGE as part of the U.S. Digital Service<\/a> and renaming the White House digital team the U.S. DOGE Service. As part of that overhaul, Trump also called for the federal agency leaders to \u201ctake all necessary steps, in coordination with the USDS Administrator and to the maximum extent consistent with law, to ensure USDS has full and prompt access to all unclassified agency records, software systems, and IT systems.\u201d<\/p>\n<div class=\"ad ad--inline_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<p>OPM last week also <a href=\"https:\/\/fedscoop.com\/opm-email-report-diversity-and-inclusion-initiatives\/\">created an email account<\/a> meant to collect reports of suspected diversity, equity, and inclusion initiatives. In a Jan. 21 memo, OPM directed agencies to collect reports of any efforts to disguise such initiatives.<\/p>\n<p><\/body> <\/p>\n<footer class=\"single-article__footer\" readability=\"4.2164073550212\">\n<div class=\"author-card\" readability=\"16\">\n<div class=\"author-card__avatar\">\n<figure class=\"author-card__image-wrap\"> <img data-recalc-dims=\"1\" decoding=\"async\" class=\"author-card__image\" src=\"https:\/\/i0.wp.com\/ddi.mohflo.net\/wp-content\/uploads\/2025\/01\/lawsuit-claims-systems-behind-opm-governmentwide-email-blast-are-illegal-insecure-1.jpg?w=640&ssl=1\" alt=\"Billy Mitchell\"> <\/figure>\n<\/p><\/div>\n<p><h4 class=\"author-card__name\">Written by Billy Mitchell<\/h4>\n<p> Billy Mitchell is Senior Vice President and Executive Editor of Scoop News Group’s editorial brands. He oversees operations, strategy and growth of SNG’s award-winning tech publications, FedScoop, StateScoop, CyberScoop, EdScoop and DefenseScoop. After earning his journalism degree at Virginia Tech and winning the school’s Excellence in Print Journalism award, Billy received his master’s degree from New York University in magazine writing while interning at publications like Rolling Stone. <\/p>\n<\/p><\/div>\n<div class=\"single-article__tags-container\">\n<h4 class=\"single-article__tags-title\">In This Story<\/h4>\n<\/p><\/div>\n<\/footer>\n<p> <\/html><\/div>\n<\/p><\/div>\n<\/p><\/div>\n<div class=\"single-article__ads js-single-article-sidebar\">\n<div class=\"ad ad--sidebar js-single-article-sidebar-5 ad--rightrail_1 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-4 ad--rightrail_2 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div class=\"ad ad--sidebar js-single-article-sidebar-3 ad--rightrail_3 \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div><\/div>\n<\/article>\n<div class=\"popular-stories popular-stories--single-post\">\n<div class=\"popular-stories__container\">\n<h2 class=\"popular-stories__title\"> More Scoops <\/h2>\n<p>  <\/div>\n<p>\n<\/div>\n<p> <\/p>\n<section class=\"latest-podcasts\">\n<h2 class=\"latest-podcasts__title\"> Latest Podcasts\t<\/h2>\n<\/section>\n<div class=\"top-categories\">\n<div class=\"top-categories__container\">\n<h3 class=\"top-categories__category-title\">FedScoop TV<\/h3>\n<\/p><\/div>\n<\/p><\/div>\n<p> <\/main> <\/p>\n<div class=\"ad ad--bottom \">\n<div class=\"ad__inner\"> <span class=\"screen-reader-text\">Advertisement<\/span> <\/div>\n<\/div>\n<div id=\"interstitial\" class=\"welcome__container\"> <button id=\"close-modal-1\" class=\"welcome__clickable_area\"><\/button> <\/p>\n<div class=\"welcome__ad_wrapper\">\n<p> <button id=\"close-modal-3\" class=\"welcome__continue-button\">Continue to FedScoop<\/button> <\/p>\n<\/p><\/div>\n<\/p><\/div>\n<p>   <\/body> <a href=\"https:\/\/fedscoop.com\/opm-email-federal-workforce-lawsuit-server-privacy-security\/\">Source<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>Lawsuit claims systems behind OPM governmentwide email blast are illegal,<\/p>\n","protected":false},"author":11,"featured_media":0,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_jetpack_memberships_contains_paid_content":false,"footnotes":""},"categories":[78],"tags":[86],"class_list":["post-7102","post","type-post","status-publish","format-standard","hentry","category-cybersecurity","tag-cybersecurity"],"featured_image_urls":{"full":"","thumbnail":"","medium":"","medium_large":"","large":"","1536x1536":"","2048x2048":"","chromenews-featured":"","chromenews-large":"","chromenews-medium":""},"author_info":{"display_name":"Cyber Scoop","author_link":"https:\/\/ddi.mohflo.net\/index.php\/author\/cyberscoop\/"},"category_info":"<a href=\"https:\/\/ddi.mohflo.net\/index.php\/category\/cybersecurity\/\" rel=\"category tag\">Cybersecurity<\/a>","tag_info":"Cybersecurity","comment_count":"0","jetpack_featured_media_url":"","jetpack_sharing_enabled":true,"_links":{"self":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7102","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/users\/11"}],"replies":[{"embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/comments?post=7102"}],"version-history":[{"count":0,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/posts\/7102\/revisions"}],"wp:attachment":[{"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/media?parent=7102"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/categories?post=7102"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/ddi.mohflo.net\/index.php\/wp-json\/wp\/v2\/tags?post=7102"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}

{"id":7102,"date":"2025-01-28T13:42:41","date_gmt":"2025-01-28T19:42:41","guid":{"rendered":"https:\/\/cyberscoop.com\/?p=83302"},"modified":"2025-01-28T13:42:41","modified_gmt":"2025-01-28T19:42:41","slug":"lawsuit-claims-systems-behind-opm-governmentwide-email-blast-are-illegal-insecure","status":"publish","type":"post","link":"https:\/\/ddi.mohflo.net\/index.php\/2025\/01\/28\/lawsuit-claims-systems-behind-opm-governmentwide-email-blast-are-illegal-insecure\/","title":{"rendered":"Lawsuit claims systems behind OPM governmentwide email blast are illegal, insecure"},"content":{"rendered":"