Private investigator pleads guilty to trying to use FAFSA e-vulnerability to get Trump’s tax details

The IRS and Department of Education disclosed the vulnerability, and launched an investigation into possible exploits, in March.
The Robert F. Kennedy Department of Justice Building in Washington, D.C. (Wikimedia Commons)

A Louisiana man pleaded guilty Monday to using Donald Trump’s social security number in an attempt to obtain the president’s tax return information online before the 2016 election using a well-known cybersecurity flaw in an IRS tool. Jordan Hamlett, a private investigator, represented the social security number as his own.

The tool he used to make the attempt is IRS’s Data Retrieval Tool that is connected to the Education Department’s federal student aid application, the FAFSA. According to the Department of Justice, Hamlett started a FAFSA application using Trump’s social security number in September 2016. The agency does not share how Hamlett had access to this information in the first place.

The Data Retrieval Tool, which was available on and, is key in helping students apply for aid — upon entering a social security number, it would automatically import their parent or guardian’s tax return information to the form. It was taken offline in early March, initially for what the IRS described as “system maintenance” issues. But by late March, the IRS had publicized a vulnerability in the tool and launched an investigation into how many people had been affected by its “questionable use.” While security fixes were made and the DRT was placed back online in October, the information of as many as 100,000 applicants may have been exposed.

Now, it turns out that Trump was among those targeted. It is a high profile example of what can come of such a vulnerability, especially given President Trump’s ongoing refusal to follow tradition and make his tax return information public.


However, authorities say Hamlett was ultimately unsuccessful.

“Mr. Hamlett’s guilty plea should serve as a warning to anyone who misuses the personally identifiable information of others to access protected computer systems for unlawful purposes: you will be caught and held accountable for your criminal actions,” Robert Mancuso, special agent-in-charge of the U.S. Department of Education, said in a statement.

“My office, together with our federal, state, and local partners, will continue to aggressively pursue those engaged in the proliferation of identity theft and cybercrime, particularly when involving attempts to fraudulently obtain sensitive information from federal government databases,” acting U.S. Attorney Corey Amundson said in his statement.

Hamlett faces five years in prison and, according to the Associated Press, $250,000 in fines after his guilty plea.

Latest Podcasts