Clever hack failed to yield Trump’s tax returns
The plot hatched by two college students was simple, and if executed, would achieve where Congress has failed to: obtain President Donald Trump’s tax returns.
Trump’s personal finances have been sought by lawmakers and governors alike. In the run-up to the 2016 presidential election, it was a top discussion point on the campaign trail.
Trump has refused to provide his returns, saying they are under audit.
Enter two Haverford College undergraduates.
Justin Hiemstra, 22, and Andrew Harris, 24, watched the political debate over Trump’s returns before the 2016 election, and already familiar with the federal student aid process, began to think on how an online financial-aid site could be a gateway to the returns.
“It was like Beavis and Butthead saying, ‘Hey, let’s get this,’” William Brennan, an attorney for Harris, told The Washington Post on Wednesday, a day after Hiemstra pleaded guilty to two charges of computer-related fraud.
On Nov. 2, 2016, six days before the election, Harris and Hiemstra set out for Haverford College Roberts Hall, wielding login credentials from two other students. They went to work on two university computers, prosecutors said in court filings, with one student telling investigators that Harris discussed releasing the returns to the media if they were successful.
The plan, court filings show, was this: Open a false federal student aid application in the name of a Trump family member, follow a link that redirects to the Internal Revenue Service and retrieve relevant tax-return information.
They immediately hit a wall. Trump already had an ID associated with him, and they needed to reset the password by answering security questions.
Apparently the answers involving one of the most prominent families of the 21st century were easy enough to find on Google. After a search on a separate computer, the questions were successfully answered and the password was reset. Then they entered Trump’s Social Security number, filings show. Another roadblock. “Among other things, they needed the IRS filing status and home address for Trump to gain access to Trump’s tax records and made multiple attempts to answer correctly, but failed,” prosecutors wrote.
The activity was monitored by the IRS and the Department of Education, and the IP logs linked back to Haverford, outside Philadelphia. Thomas Lee, an attorney representing the college, did not return a request for comment.
The students appeared to be aware that this might happen. Hiemstra swiped his student ID at the computer lab and left to swipe at a different building afterward “in an attempt to disguise his whereabouts,” prosecutors wrote.
Hiemstra pleaded guilty to two misdemeanor charges in federal court Tuesday, with a sentencing set for Dec. 16. He faces a maximum sentence of two years in prison and a $200,000 fine, court records show.
His attorney, Michael van der Veen, said Hiemstra took responsibility for his actions in court and lauded him as a Fulbright scholar with no record. The men are “wicked smart” and tech savvy, he said, and tried to crack each other’s computer systems.
“When this idea came up, they saw it as a challenge,” van der Veen said. Hiemstra received his diploma in May but will finish related work next summer, he said, jailtime permitting.
Brennan, Harris’ attorney, said he expects a similar plea deal to occur for his client, but he said he was not certain.
“Gotta dance on it a little bit though, because he can always change his mind,” Brennan said. “You never know until the bell rings.”
Harris was expelled from Haverford in October 2017, about a year after the incident, court records show, but it is unclear why that happened.
While Brennan and van der Veen downplay the breaches as college pranks gone awry, a computer-crime expert said the indication Harris was going to release information to reporters carried a high potential for impact before the election.
“I would consider it activism-related doxing if you believe the intention was to sway people,” said Rob D’Ovidio, an associate professor at Drexel University. “It’s no different from what the Russians were doing.”
Any unauthorized release of sensitive personal information, he said, is permanent and long-lasting. “They’re not pranks,” D’Ovidio said. “People need to realize [security breaches] have serious ramifications.”