Charles Littlejohn, the former IRS contractor who stole the tax returns of President Trump and 7,500 of the country’s other richest taxpayers, said the agency’s systems were so easy to penetrate that he could have stolen any return he wanted.
That was just what he did.
In a newly unsealed deposition in a civil lawsuit against the IRS, Littlejohn revealed how he managed the worst IRS breach in history. He exfiltrated secret tax data and gave it to reporters, who published it for the world to see.
“There was nothing to prevent me from accessing returns of any American,” Littlejohn said.
Even though he was a consultant at Booz Allen Hamilton and not an IRS employee, the agency gave him an office, an email account and a laptop. Officials figured he would need it all to run the types of reports required in the contract.
The agency also gave him the access he needed.
He felt that searching for Mr. Trump’s name might raise alarms, so he circled in on the data by running general queries based on what he guessed Mr. Trump’s taxes would include. He compared the resulting data hits with “previously leaked” information about Mr. Trump to figure out which information belonged to the president.
Moving the data out of the IRS was a bigger hurdle.
He said it was general knowledge that the IRS blocked downloads to major file hosting services such as Dropbox, but he guessed the agency wouldn’t be able to ban random software. He tested the idea with a website he controlled, and it worked.
He downloaded the data onto flash drives, used a burner phone to contact The New York Times and provided the data for an article published just before the 2020 election.
Littlejohn repeated the process for 7,500 of the country’s wealthiest people and gave the data to ProPublica.
“I was able to access tax returns at will,” he said in the March 19 deposition, just weeks before he reported to a federal prison to serve a five-year sentence for his crime. The deposition was taken as part of a lawsuit brought by Ken Griffin, one of those whose tax data Littlejohn stole and leaked.
He feared his capture by investigators might derail his plans, so he set up a Twitter account to automatically post a message months later, giving the media access to his trove of stolen data even if he was behind bars.
As it happened, the IRS didn’t come looking for him until years later.
Littlejohn revealed some of his theft operations in his criminal case, but the civil case deposition is the most thorough public accounting of his methods and motives.
The IRS and Mr. Griffin agreed to dismiss the civil case, but the tax agency issued an apology as part of that closure.
“The Internal Revenue Service sincerely apologizes to Mr. Kenneth Griffin and the thousands of other Americans whose personal information was leaked to the press,” the agency said in an unattributed statement that heaped blame on Littlejohn. The agency said Littlejohn “violated the terms of his contract and betrayed the trust that the American people place in the IRS.”
Stealing Mr. Trump’s data wasn’t an accident. Littlejohn said he was particularly angered that Mr. Trump fired FBI Director James B. Comey in 2017. “It had echoes of what Nixon had done,” he said.
By 2018, Littlejohn was working at Booz Allen. He had worked there as an IRS contractor several years earlier, so he knew he would have broad access to Americans’ taxes. Prosecutors said he saw himself as a digital-era Robin Hood, stealing the wealthy’s data to benefit society.
“I thought that it was simply my small ability to help uphold a norm, and that was my motivation,” Littlejohn said in his deposition.
He was partly inspired by Sen. Bernard Sanders, the Vermont independent who has routinely complained that the rich are evading their fair share of taxes.
Littlejohn figured ProPublica, a left-leaning investigative website, would be right for those articles.
He gave the reporter data on 7,500 wealthy Americans on a flash drive protected by a password. He set up a Twitter account to automatically post the password months in the future as a fail-safe in case he got nabbed after the Trump leak went public.
He grew too eager and shared the password early.
When the reporter needed additional information, Littlejohn gave the reporter access to an email account. They exchanged information by writing draft emails that the other could see.
Littlejohn also stowed a flash drive of all the data and a journal of some of his activities in a secret location in a room of a house he once rented. He tucked that extra drive inside the lining of a box containing an ornamental camel.
He eventually told investigators about the drive. In a twist, the camel box had been sold on Facebook Marketplace just days earlier to a woman in Pennsylvania. Investigators tracked down the purchaser and regained control of the data.
Littlejohn said he waited for a knock at his door after the initial Trump leak. None came. He took comfort in IRS Commissioner Charles Rettig’s public statement that seemed to suggest the agency wasn’t the source of the leak.
“I’m surprised that they were so certain that it didn’t come from the IRS,” Littlejohn said in his deposition. “I don’t know what prompted that.”
It wasn’t until Nov. 1, 2021, three years after he first stole the data, that two agents from the Treasury Inspector General for Tax Administration appeared at his door. They asked about the queries he ran. He left his contractor’s job earlier in the year and told them he wouldn’t talk without an attorney.
That launched two years of back-and-forth, resulting in a plea deal.
He said the IRS might have prevented him from obtaining the data or blocked him from leaking it to reporters if it conducted random audits of employees’ and contractors’ computer activities.
“And just, you know, that threat of having to describe what they’re doing as — would have been difficult for me to deal with,” Littlejohn said.
Ironically, the IRS uses random selection as one of its methods for auditing taxpayers.
Littlejohn said he debriefed the IRS on how he pilfered the data and suggested random audits of employees’ and contractors’ work.
He said he carried out the thefts after his normal working hours and suggested that the agency try to spot unusual activity.
In response to questions from The Washington Times for this article, the IRS pointed to a May statement detailing 10 areas where the agency “has stepped up protections for taxpayer information.”
Several seemed to speak directly to Littlejohn’s breach.
“The IRS now maintains evidentiary copies of database queries and data outputs, which improves surveillance of internal data use and preserves records of who accessed which data and when. Additionally, the IRS enforces an approved destination for data exports and prevents users from copying those files to unapproved drives or folders,” the agency said.
It has also reduced the number of people with access to “the most sensitive taxpayer data sets,” increased data anonymization, conducted more frequent checks on network access and deployed analytics “to detect and prevent risky data usage.” It also is looking for suspicious activities “around the clock.”
The agency said it has imposed new blocks on emailing taxpayer information from the IRS to outside parties. Emailing the information is allowed internally but is now “closely monitored.”
Matt Jensen, who monitors the IRS for the America First Policy Institute, said the agency is still vulnerable.
“So long as the IRS is entrusted with highly sensitive information, it will be a target for information thieves. Sometimes the IRS will lose and the thieves will win,” he said. “The solution is a simpler tax and enforcement regime that doesn’t require all the information to begin with.”
Late last year, Littlejohn struck a plea that reduced the largest IRS leak in history to a single charge of unauthorized disclosure of tax information.
In his sentencing, Littlejohn agreed that he deserved some prison time but asked for leniency. He said he wanted to start a family with his girlfriend.
After striking the lenient plea deal, prosecutors asked the judge to give Littlejohn the maximum five-year term. The judge agreed.
Littlejohn is now at Marion Federal Correctional Institution in Illinois. His scheduled release date is July 13, 2028.
• Stephen Dinan can be reached at sdinan@washingtontimes.com.
Please read our comment policy before commenting.