When officials working for the incoming Trump administration decided they wanted to email the entire federal workforce last week, they didnt hang about.Far from it: A new private class action lawsuit brought by two anonymous US executive branch employees alleges that they simply turned up at the HQ of the US Office of Personnel Management (OPM), which handles HR, and demanded to plug in their email server and get going as soon as possible.The one person who could have refused authorization for such a move Melvin Brown II, who took control of the agencys IT systems only a week before had already been sidelined.The suit was filed after OPM sent two test emails to an estimated 2.3 million federal employees in a way that, the suit alleges, broke the E-Government Act of 2002 and was inherently insecure. Those rules require that a Privacy Impact Assessment (PIA) be carried out first.The day after the suit was filed, the OPM sent another email to federal employees, inviting them to resign.In addition to its allegations of using an insecure email server, the suit claimed that the person who received the data from the email campaign was a non-OPM employee connected to Elon Musk, raising questions about how any personally identifiable information (PII) arising from it will be stored and secured and whether normal security and procurement protocols were flouted.Phishing testOn the other side of this campaign were employees who rarely receive mass emails from the OPMs HR department in a system that normally channels communications through individual agencies.That might explain why some employees were confused by the unexpected contacts. The first email, which arrived on January 24 from an OPM hr@opm.gov email address, stated that it was testing a new distribution and response list designed to allow direct OPM communication with employees. Employees were asked to reply yes to the message and asked to visit an OPM website announcing the test.On January 26 a second email from the same address arrived in inboxes, again asking employees to reply yes even if they had already replied to the first email test. With no sense of irony, the message warned employees to be wary of unknown emails:As a reminder, always check the From address to confirm that an email is from a legitimate government account and be careful about clicking on links, even when the email originates from the government.Some employees took them at their word, posting suspicions on Reddit that the emails might be part of a phishing attack or test. It was also noticed that the emails werent digitally signed, a standard way of authenticating a sending email server.This is EXACTLY how to design a phishing email. Is this a joke? Is this an active cybersecurity operation by a bad actor???, read one comment.Walked right inThe employee lawsuit alleges that last weeks emails were part of a wider and hastily assembled campaign to collect data on government employees.As part of that, it references a message posted to Reddit by a someone claiming to be an OPM employee with knowledge of the matter, saying that lists compiled from email replies were to be sent to Amanda Scales, an employee who works for Elon Musk and not the OPM.Someone literally walked into our building and plugged in an email server to our network to make it appear that emails were coming from OPM. Its been the one sending those various test messages youve all seen. We think theyre building a massive email list of all federal employees to generate mass RIF notices down the road, said a Reddit post referring to reductions in force (layoffs), according to the lawsuit.Not coincidentally perhaps, this week the OPM emailed a controversial deferred resignation offer to all federal employees offering eight months of pay and benefits for anyone who agrees within seven days to resign their positions.Type the word Resign into the Subject line of the email. Hit Send, it read. The notice was entitled Fork in the Road, perhaps a reference to an artwork of the same name Musk commissioned in 2022.OPM breachThe OPM, of course, has form when it comes to data security. In 2015, it detected a huge data breach affecting 22.1 million employee records, including PII such as social security numbers. That led to Congressional hearings and several government reports that identified a depressing list of underlying causes.But with this history in mind, the idea that an unknown party could simply plug their email server into the OPM network without security vetting of either the server itself or its data collection and storage routines will astonish anyone in cybersecurity.The incident suggests a culture where speed and shock matters above all. Its not clear how many employees were forewarned that the emails might turn up but asking employees to reply to an email or click on a link is lax in an era of phishing attacks. Thats before considering the possibility that the email server or its data might itself be targeted.The OPM did not immediately respond to questions sent to the hr@opm.gov email address.