Mystery OPM server that aided buyout offers prompts House Democrat probe

House Oversight Democrats are demanding answers about the installation of a “server of unknown nature and origin” at the Office of Personnel Management (OPM) that aided the agency in sending buyout offers to federal employees.

The letter asks for a list of employees that installed the equipment, the authority under which they were hired, and whether they faced background investigations — a nod to a Reddit post saying employees outside OPM installed the server.

The installation of the server appears to have been a stepping stone in OPM’s work to assemble a list of federal employee emails ahead of offering the “Fork in the Road” buyout package to nearly all employees — a brainchild of Elon Musk.

But in doing so, OPM may have violated laws dictating how the agency must plan for using databases with personally identifiable information.

“At best, the Trump Administration’s actions at OPM to date demonstrate gross negligence, severe incompetence, and a chaotic disregard for the security of our government data and the countless services it enables our agencies to provide to the public,” said the letter from Rep. Gerry Connolly (Va.), the House Oversight and Government Reform Committee’s top Democrat, and Rep. Shontel Brown (D-Ohio).

“At worst, we fear that Trump Administration officials know full well that their actions threaten to break our government and put our citizens at risk of foreign adversaries like China and Russia gaining access to our sensitive data.”

OPM is already facing a suit under the E-Government Act of 2002, which requires a Privacy Impact Assessment before pushing ahead with creation of databases that store personally identifiable information.

The letter also seeks details about how OPM was able to assemble a list of employees — something that appears to be done from cobbling together existing email lists and datasets. Email metadata reviewed by The Hill show multiple email subdomains and servers affiliated with the process.

Most messages to staff are handled through each agency, and the government did not previously have the capability to send such far-reaching emails.

Democrats argue that “acquiring such a capability securely and in compliance with federal cybersecurity, privacy, and procurement laws would likely not have been possible in such a short timeframe.”

Their concerns are not hypothetical.

Employees at the National Oceanic and Atmospheric Administration already received emails from outside the organization.  

“The lack of security and oversight associated with the new email system and data management practices threatens to expose federal workers to personalized social engineering or ‘spear phishing’ attacks to gain access to government systems,” the two lawmakers wrote.

OPM did not immediately respond to request for comment.

The letter comes as lawmakers have sounded the alarm over other efforts from those associated with the Department of Government Efficiency to access government databases, including at the Treasury Department.