US Government sued after mass emails to federal workforce allegedly sent from insecure server

When officials working for the incoming Trump administration decided they wanted to email the entire federal workforce last week, they didn’t hang about.

Far from it: A new private class action lawsuit brought by two anonymous US executive branch employees alleges that they simply turned up at the HQ of the US Office of Personnel Management (OPM), which handles HR, and demanded to plug in their email server and get going as soon as possible.

The one person who could have refused authorization for such a move — Melvin Brown II, who took control of the agency’s IT systems only a week before — had already been sidelined.

The suit was filed after OPM sent two test emails to an estimated 2.3 million federal employees in a way that, the suit alleges, broke the E-Government Act of 2002 and was inherently insecure. Those rules require that a Privacy Impact Assessment (PIA) be carried out first.

The day after the suit was filed, the OPM sent another email to federal employees, inviting them to resign.

In addition to its allegations of using an insecure email server, the suit claimed that the person who received the data from the email campaign was a non-OPM employee connected to Elon Musk, raising questions about how any personally identifiable information (PII) arising from it will be stored and secured and whether normal security and procurement protocols were flouted.

Phishing test

On the other side of this campaign were employees who rarely receive mass emails from the OPM’s HR department in a system that normally channels communications through individual agencies.

That might explain why some employees were confused by the unexpected contacts. The first email, which arrived on January 24 from an OPM [email protected] email address, stated that it was testing “a new distribution and response list” designed to allow direct OPM communication with employees. Employees were asked to reply “yes” to the message and asked to visit an OPM website announcing the test.

On January 26 a second email from the same address arrived in inboxes, again asking employees to reply “yes” even if they had already replied to the first email test. With no sense of irony, the message warned employees to be wary of unknown emails:

“As a reminder, always check the ‘From’ address to confirm that an email is from a legitimate government account and be careful about clicking on links, even when the email originates from the government.”

Some employees took them at their word, posting suspicions on Reddit that the emails might be part of a phishing attack or test. It was also noticed that the emails weren’t digitally signed, a standard way of authenticating a sending email server.

“This is EXACTLY how to design a phishing email. Is this a joke? Is this an active cybersecurity operation by a bad actor???,” read one comment.

Walked right in

The employee lawsuit alleges that last week’s emails were part of a wider and hastily assembled campaign to collect data on government employees. 

As part of that, it references a message posted to Reddit by a someone claiming to be an OPM employee with knowledge of the matter, saying that lists compiled from email replies were to be sent to Amanda Scales, an employee who works for Elon Musk and not the OPM.

“Someone literally walked into our building and plugged in an email server to our network to make it appear that emails were coming from OPM. It’s been the one sending those various ‘test’ messages you’ve all seen. We think they’re building a massive email list of all federal employees to generate mass RIF notices down the road,” said a Reddit post referring to reductions in force (layoffs), according to the lawsuit.

Not coincidentally perhaps, this week the OPM emailed a controversial “deferred resignation offer” to all federal employees offering eight months of pay and benefits for anyone who agrees within seven days to resign their positions.

“Type the word ‘Resign’ into the “Subject” line of the email. Hit ‘Send’,” it read. The notice was entitled “Fork in the Road”, perhaps a reference to an artwork of the same name Musk commissioned in 2022.

OPM breach

The OPM, of course, has form when it comes to data security. In 2015, it detected a huge data breach affecting 22.1 million employee records, including PII such as social security numbers. That led to Congressional hearings and several government reports that identified a depressing list of underlying causes.

But with this history in mind, the idea that an unknown party could simply plug their email server into the OPM network without security vetting of either the server itself or its data collection and storage routines will astonish anyone in cybersecurity.

The incident suggests a culture where speed and shock matters above all. It’s not clear how many employees were forewarned that the emails might turn up but asking employees to reply to an email or click on a link is lax in an era of phishing attacks. That’s before considering the possibility that the email server or its data might itself be targeted.

The OPM did not immediately respond to questions sent to the [email protected] email address.

Source:: Computer World