A private investigator named Jordan Hamlett is heading to trial next month in Louisiana for allegedly attempting to illegally obtain President Trump’s income tax returns. Hamlett's defense attorney says he’s a well-intentioned white hat hacker engaged in ethical acts, who was trying to notify the IRS that its system was vulnerable. He now faces up to five years in prison.
Whether his motivation was good or bad, Hamlett's hacking skills apparently weren’t great. Court records suggest he disregarded basic lessons of Hacking 101: First, don’t use your personal cell phone when penetration-testing the federal government; and second, don’t immediately confess when FBI and IRS agents engage you in a conversation in the lobby of an Embassy Suites hotel in Baton Rouge. Despite his rookie mistakes, Hamlett reportedly came close to getting the president’s personal tax information. And that says a lot.
Considering Trump’s risk profile, the determination of his detractors, and the current state of cybersecurity, it’s almost inconceivable his tax returns haven’t been hacked—successfully—by someone with more experience and expertise.
After all, American taxpayers should assume their personally identifying information is already in the hands of criminals and then act accordingly, as former IRS commissioner John Koskinen recently told reporters.
For Trump, this is a no-brainer. After he declined to disclose his tax filings during the presidential campaign, the hacker collective Anonymous released his (unconfirmed) Social Security Number, birth date, and cell phone number and vowed to expose his financial entanglements. Would-be whistleblowers were rallied by WikiLeaks, while one high-profile Democrat offered a $5 million reward for anyone who legally leaked Trump’s financials.
The IRS isn’t an impenetrable fortress. Hamlett, the private investigator in Louisiana, allegedly targeted a vulnerability in an online IRS tool for students applying for financial aid. Fraudsters used the same system to steal the data of up to 100,000 taxpayers. Previously, vulnerabilities in the IRS's Get Transcript service led to unauthorized access to 724,000 taxpayer accounts. After these security lapses the IRS awarded a no-bid contract (now suspended) to Equifax for fraud protection services, soon after the credit bureau breached data of 145 million people.
Any sophisticated hacking operation would also focus on affiliated companies, associates, and third parties. Trump’s tax filings have passed through many, many hands—and every contact represents an attack vector. Consider the number of accountants, lawyers, ex-wives, banks, lenders, and business partners Trump has had in the past 20 years. How many have requested and inspected a portion of his personal finances? Those records may now be stored unencrypted in the cloud; they may be sitting on an insecure email server, or locked in a drawer and available for review by an after-hours cleaning crew.
As that fellow from Anonymous in the Guy Fawkes mask put it: “Information doesn't vanish, it is all out there.” So why hasn’t it been leaked?
Conspiracy theorists have suggested Putin’s cyberbullies hacked the returns, and are using them as kompromat—compromising material—for blackmail. But if you’ve already given the information to the IRS, in writing, what’s left to expose? It’s not as if Trump prepared his returns by turning on TurboTax and rummaging through a shoebox of crumpled receipts. His filings have been professionally prepared and vetted by teams of accountants and attorneys. His tax counsel issued a memorandum earlier this year stating a review of Trump’s tax returns for the past decade did not show income from Russian sources, save for a few exceptions.
Of course, the same boilerplate assurance probably could have been made for commerce secretary Wilbur L. Ross Jr., until his financial ties to Putin’s family and associates were leaked in the Paradise Papers, revealing connections previously obscured by a chain of offshore companies in the Cayman Islands.
If foreign intelligence services have obtained Trump’s financial records, we might never learn what they found. Cyberattacks of the US Office of Personnel Management lasted a full year before being detected in 2015. By then, hackers had obtained confidential records on 19.7 million applicants for security clearances, required for the most sensitive jobs in the federal government. US officials have privately blamed China, but the stolen information was never publicly leaked. The perpetrators didn’t design and deploy an advanced persistent threat because they wanted to publish their findings.
In the end, how damaging could Trump's taxes be? Among the few scoops on the subject, The New York Times last year published pages from his state tax returns from 1995, which showed a $916 million loss. Hardly a stellar year—but not a secret, either. Trump’s wealth spiral was well documented in the 1990s, when four of his businesses filed for bankruptcy. His supporters aren’t bothered by the revelation that he’d lost nearly a billion dollars, because they admire his huge appetite for risk.
And when Rachel Maddow released a summary of Trump’s federal tax filing from 2005—showing he paid $38 million in taxes on income of more than $150 million—the MSNBC journalist was lambasted by liberals and conservatives for overhyping an inconsequential story. There was no sign of anything improper or illegal. No company names in Cyrillic, no income recorded in rubles. Maybe the tax returns just aren’t that juicy.
WIRED Opinion publishes pieces written by outside contributors and represents a wide range of viewpoints. Read more opinions here.
Phishing scams are getting more and more sophisticated, to the point where they’re fooling even security experts. Here's how to avoid them.