Charles Littlejohn, the former IRS contractor who stole the tax returns of then-President Donald Trump and 7,500 of the country’s other richest taxpayers, said the agency’s systems were so easy to penetrate that he could have stolen any return he wanted.
And that’s just what he did.
In a newly unsealed deposition in a civil lawsuit against the IRS, Littlejohn revealed how he managed the worst IRS breach in history, exfiltrating the secret tax data and giving it to reporters who published it for the world to see.
“There was nothing to prevent me from accessing returns of any American,” Littlejohn said.
For starters, even though he was a consultant at Booz Allen Hamilton and not an IRS employee, the agency gave him an office, an email account and a laptop. They figured he would need it to run the type of reports the contract called for.
But it gave him the access he needed.
He felt that searching for Mr. Trump’s name might raise alarms so he circled in on the data by running general queries based on what he guessed Mr. Trump’s taxes would include. Then he compared the resulting data hits to “previously leaked” information about Mr. Trump to figure out which information belongs to the president.
Getting the data out of the IRS was a bigger hurdle.
He said it was general knowledge that the IRS blocked downloads to major websites like Dropbox. But he guessed the agency wouldn’t be able to ban random sites. He tested the idea with a website he controlled and sure enough, it worked.
He downloaded the data onto flash drives, used a burner phone to contact The New York Times and gave them the data for a story they ran just ahead of the 2020 election.
Littlejohn repeated the process for 7,500 of the country’s wealthiest people, giving that data to ProPublica.
“I was able to access tax returns at will,” he said in the March 19 deposition, just weeks before he reported to a federal prison to serve a five-year sentence for his crime. The deposition was taken as part of a lawsuit brought by Ken Griffin, one of those whose tax data Littlejohn stole and leaked.
And he feared his capture by investigators might derail his plans so set up a Twitter account to automatically post a message months down the road, giving the media access to his trove of stolen data even if he was behind bars by that time.
As it happened, the IRS didn’t come looking for him until years later.
Littlejohn had revealed some of his theft operations in his criminal case but the civil case deposition is the most thorough public accounting of his methods and motives.
The IRS and Mr. Griffin agreed to dismiss the civil case, but the tax agency issued an apology as part of that closure.
“The Internal Revenue Service sincerely apologizes to Mr. Kenneth Griffin and the thousands of other Americans whose personal information was leaked to the press,” the agency said in an unattributed statement that heaped blame on Littlejohn. The agency said he “violated the terms of his contract and betrayed the trust that the American people place in the IRS.”
Stealing Mr. Trump’s data wasn’t an accident. Littlejohn said he was particularly angered after Mr. Trump fired FBI Director James B. Comey in 2017 — “it had echoes of what Nixon had done” — which set him on the path to pilfering the president’s data.
By 2018 he was at work at Booz Allen. He’d done a stint there as an IRS contractor several years prior, which is how he knew he would have broad access to Americans’ taxes. Prosecutors said he saw himself as a digital-era Robin Hood, stealing the wealthy’s data to benefit society.
“I thought that it was simply my small ability to help uphold a norm, and that was my motivation,” Littlejohn said in his deposition.
The idea for grabbing the data for the country’s wealthiest people came, in part, from Sen. Bernard Sanders, the Vermont independent who has routinely complained that the rich are ducking their fair share of taxes.
Littlejohn figured ProPublica, a left-leaning investigative website, would be right for those stories.
He gave the reporter data on 7,500 wealthy Americans on a flash drive but it was protected by a password. He then set a Twitter account to automatically post the password months in the future, as sort of a fail-safe in case he got nabbed after the Trump leak went public.
But he grew too eager and shared the password himself early.
When the reporter needed additional information, Littlejohn gave the reporter access to an email account. They exchanged information by writing draft emails that the other could see.
Littlejohn also kept a flash drive of all the data and a journal he kept of some of his activities, stowed in a secret location in a room he once rented in a house. He tucked that extra drive inside the lining of a box containing an ornamental camel.
He would eventually tell investigators about the drive, but in a weird twist, the camel box had been sold on Facebook Marketplace just days earlier to a woman in Pennsylvania. Investigators managed to track down the purchaser and regain control of the data.
Littlejohn said he kept waiting for a knock at his door after the initial Trump leak. None came. He took comfort in then-IRS Commissioner Charles Rettig’s public statement that seemed to suggest the IRS wasn’t the source of the leak.
“I’m surprised that they were so certain that it didn’t come from the IRS,” Littlejohn said in his deposition. “I don’t know what prompted that.”
It wasn’t until Nov. 1, 2021 — three years after he stole the first data — that two agents from the Treasury Inspector General for Tax Administration showed up at his door. They asked about the queries he ran. He’d left his contractor’s job earlier in the year and he told them he wasn’t going to talk without a lawyer.
That launched two years of back-and-forth resulting in an eventual plea deal.
He said the IRS might have prevented him from getting the data, or blocked him from leaking it to reporters if the agency had been doing random audits of its employees’ and contractors’ computer activities.
“And just, you know, that threat of having to describe what they’re doing as — would have been difficult for me to deal with,” Littlejohn said.
Ironically, the IRS uses random selection as one of its methods for auditing taxpayers.
Littlejohn said he debriefed the IRS on how he pilfered the data and made the suggestion about random audits of employees’ and contractors’ work.
He also said his thefts happened after his normal working hours, and suggested the agency try to spot unusual work activity.
In response to questions from The Washington Times for this story, the IRS pointed to a May statement detailing 10 areas where the agency “has stepped up protections for taxpayer information” over the previous year.
Several of them seem to speak directly to Littlejohn’s breach.
“The IRS now maintains evidentiary copies of database queries and data outputs, which improves surveillance of internal data use and preserves records of who accessed which data and when. Additionally, the IRS enforces an approved destination for data exports and prevents users from copying those files to unapproved drives or folders,” the agency said.
It has also reduced the number of people with access to “the most sensitive taxpayer data sets,” increased anonymization of data, conducted more frequent checks on network access, deployed analytics “to detect and prevent risky data usage,” and is looking for suspicious activities “around the clock.”
The agency also said it has imposed new blocks on emailing taxpayer information from the IRS to outside parties. It’s still allowed internally, but is now being “closely monitored.”
Matt Jensen, who monitors the IRS for the America First Policy Institute, said the agency is still vulnerable.
“So long as the IRS is entrusted with highly sensitive information, it will be a target for information thieves. Sometimes the IRS will lose and the thieves will win,” he said. “The solution is a simpler tax and enforcement regime that doesn’t require all the information to begin with.”
Late last year, Littlejohn would strike the plea that saw him reduce the largest IRS leak in history to a single charge of unauthorized disclosure of tax information.
In his sentencing, Littlejohn agreed that he deserved some prison time but asked for leniency, saying he wanted to start a family with his girlfriend.
Prosecutors, after striking the lenient plea deal, asked the judge to give Littlejohn the maximum 5-year term. The judge agreed.
Littlejohn is now at Marion Federal Correction Institution in Illinois. His current scheduled release date is July 13, 2028.
• Stephen Dinan can be reached at sdinan@washingtontimes.com.