A class action lawsuit filed by federal workers claims that a group tied to Elon Musk has installed an unauthorized server at the U.S. Office of Personnel Management (OPM) headquarters in Washington, D.C. The plaintiffs, including two anonymous federal employees, are requesting a temporary restraining order to stop the server’s operation, citing concerns over cybersecurity risks and possible violations of federal law.
Allegations of Illegal Server Installation
The lawsuit, which was filed on January 27, asserts that Musk’s associates set up a server within OPM without conducting a required privacy impact assessment. According to the 2002 E-Government Act, federal agencies must complete these assessments before making significant changes to their information technology systems, especially when handling personal data.
The motion claims that the server was installed to collect personal information, including the names and email addresses of federal employees. Prior to this, OPM did not have the ability to send emails to the entire federal workforce from a single account. The lawsuit alleges that after January 20, 2025, unknown individuals bypassed OPM’s security protocols, creating a direct communication line with federal employees without proper oversight.
Concerns Over Data Security and Privacy
The plaintiffs’ legal team argues that the server poses a major cybersecurity threat, with the potential to expose sensitive government data to foreign adversaries. The email address associated with the server, HR@opm.gov, is linked to a controversial program that offers federal workers buyouts, allowing them to resign while still receiving their paychecks until September. The program is set to expire on February 6.
Kel McClanahan, executive director of National Security Counselors, emphasized the urgency of the situation, stating that waiting for normal legal proceedings is not an option when sensitive information is potentially at risk. The absence of oversight has heightened concerns, particularly after OPM’s inspector general, Krista Boyd, was dismissed on January 24, further weakening security oversight.
Cybersecurity and Access Issues
A report by Reuters revealed that senior OPM officials were locked out of the agency’s data systems, allegedly by Musk’s associates. This loss of access has raised alarm about the security and potential misuse of sensitive information. An anonymous OPM official shared their concerns, saying, “We have no visibility into what they are doing with the computer and data systems. It creates real cybersecurity and hacking implications.”
The lawsuit stresses the importance of judicial intervention to prevent further exposure of confidential data, especially given the lack of internal oversight and accountability.
Legal Violations and Questions
The lawsuit further argues that OPM’s actions may violate the Administrative Procedure Act (APA), which mandates that agencies act in accordance with the law. The plaintiffs contend that OPM’s failure to conduct a privacy impact assessment and its questionable handling of the deferred resignation program may violate federal regulations.
The legality of the deferred resignation program has also been questioned. Despite instructions for federal workers to respond to the program’s emails, union leaders and lawmakers, including Senator Tim Kaine, have warned employees to be cautious, citing concerns over the lack of funding for the program.
Impact on Workforce Reduction Plans
If the court grants the temporary restraining order, the server would be disconnected until the required privacy assessment is completed. This could delay the Trump administration’s plans to reduce the federal workforce. Critics argue that the February 6 deadline for the deferred resignation program is arbitrary and can be extended using existing communication systems.
McClanahan argued that issuing the injunction would not impose any hardship on the government, as the program could continue through other channels.
Echoes of Past Breaches
The case also draws comparisons to the 2015 OPM data breach, which exposed the personal records of over 22 million individuals. A congressional report after the breach pointed to a failure in communication between OPM’s chief information officer and inspector general, leading to security vulnerabilities.
The current lack of an inspector general has raised further concerns, with Sean Vitka from the Demand Progress Education Fund describing the situation as an “unprecedented exfiltration” of sensitive data. He called for immediate action from the courts to prevent further harm.
