Trump’s $10B IRS Lawsuit: Tax Data Breach & the Privacy Question
Trump v. IRS: A $10 Billion Claim for Unauthorized Disclosure of Tax Returns
On January 29, 2026, President Donald Trump, his sons Donald, Jr., and Eric, and the Trump Organization filed a complaint in the United States District Court for the Southern District of Florida against the Internal Revenue Service and the Department of the Treasury. The sum demanded: at least ten billion dollars. The basis: the systematic, years-long violation of tax return confidentiality by an I.R.S. contractor named Charles “Chaz” Littlejohn, who—as established in criminal proceedings—sought employment with the tax authority for the sole purpose of gaining access to the then-President’s returns and leaking them to the press in an unauthorized disclosure of unprecedented scale.
The case is unprecedented not merely for the size of the damages claim. It touches one of the deepest paradoxes of the modern fiscal state: the more data the government collects, the larger the attack surface—and the graver the consequences when protection fails.
The standard response to a tax data breach is to call for better data protection. More encryption, more audits, more protocols. It is a comprehensible response—and a fundamentally insufficient one. Because the real question is not “How do we better secure citizens’ tax data?” It is: “Why does the state collect so granular a portrait of every person’s financial life in the first place?”
Orwell’s telescreens were devices that could not be switched off—machines that transmitted a citizen’s every movement to the central apparatus of power. Modern tax systems operate on the same principle, with one notable distinction: the citizen supplies the surveillance material himself, because the law compels him to. Income, expenditures, assets, liabilities, charitable donations, medical expenses, financial transactions, employment history—all of it flows into government databases not because the citizen has consented but because refusal carries penalties. The tax system is the largest compulsory personal-data-collection program in the history of civilization. And, as the case of Trump v. I.R.S. makes plain, the system cannot protect what it extracts.
How Charles Littlejohn Stole the Tax Data of 400,000 Americans
Littlejohn was not an accidental bureaucrat who succumbed to temptation. The record in United States v. Littlejohn (Case No. 1:23-cr-00343, D.D.C.) and his deposition testimony in Griffin v. I.R.S. paint the portrait of a man who treated his employment in the tax apparatus as an intelligence operation—a textbook case of an insider threat within a government data system.
In 2017, Littlejohn applied to two consulting firms that held federal I.R.S. contracts, deliberately seeking a position that would grant him access to unmasked taxpayer data. As his own attorney later revealed, “he actually applied to two different consulting firms that might put him on a project to access the President’s tax returns, and Booz Allen chose to rehire him.” By February, 2018, he had unrestricted contractor access to I.R.S. databases—including the complete tax returns of the President of the United States, his family, and more than four hundred thousand of the nation’s wealthiest individuals. (The I.R.S. later confirmed to Congress that 405,427 taxpayers were affected, eighty-nine per cent of them business entities.)
The methodology of the breach reveals fundamental gaps in I.R.S. technical and administrative safeguards—but also something deeper: the sheer scale of data that the system stores and makes available to its operators. According to federal prosecutors, Littlejohn used broad search parameters to disguise the true purpose of his queries. He employed virtual machines to circumvent protocols designed to detect bulk data downloads. He saved confidential tax returns to a personal iPod. He created private Web sites on I.R.S. computers—and no data-loss-prevention (DLP) system blocked him. As he testified, the I.R.S. “did not block creating a private website” on its own equipment. Before proceeding with the actual operation, he ran a test: he uploaded an image file to a site he controlled. It worked. The entire process of extracting the confidential tax data of the President of the United States took him, by his own account, “a few hours.”
What followed had the contours of a spy thriller. Littlejohn personally handed materials to New York Times reporters at a conference center on the Gallaudet University campus. In July, 2019, he met with the reporters and their editor at a safe house in New York City. In October, 2019, he delivered a flash drive containing years of returns and allowed the Times to download them. In September, 2020, he contacted ProPublica, mailing the data on a password-protected storage device by ordinary post.
It took the I.R.S. three years to detect the data security breach. Three years during which information protected by Section 6103 of the Internal Revenue Code circulated freely through newsrooms, safe houses, and thumb drives. The delay in breach notification to affected taxpayers was longer still—the I.R.S. did not begin sending notices until 2024. The question that presents itself is not so much about the quality of the locks as about the wisdom of keeping so valuable a prize in a single vault.
Political Motivation Behind the IRS Data Leak: The Ideologue with Root Access
In Nineteen Eighty-Four, Orwell described a society in which thoughtcrime—the mere possession of unapproved beliefs—was punishable by the state. Littlejohn inverted this logic: it was not the state punishing him for his convictions but he—armed with those convictions and access to government databases—punishing citizens for who they were.
In his deposition, Littlejohn stated plainly that he considered Trump “dangerous” and a “threat to democracy,” and that the unauthorized disclosure was, in his view, a necessity dictated by political “norms.” Asked whether he intended harm, he answered with disarming candor: “Less about harm, more just about a statement. I mean, there’s little harm that can actually be done to him, I think. He’s shown a remarkable resilience.” He also admitted that he “felt that the American people should have the opportunity to see the tax returns of the sitting President before they decided on how they were going to vote”—revealing that his objective was to influence the outcome of the 2020 Presidential election.
At sentencing, Judge Ana C. Reyes of the United States District Court for the District of Columbia found that Littlejohn had, “again and again and again,” taken the law into his own hands, and that, “despite what Mr. Littlejohn argues, I find it implausible that he did not intend to harm at least some taxpayers.” The judge went further, stating that Littlejohn’s actions constituted “an attack on our constitutional democracy” that “engenders the same fear that January 6 does.” The prosecution’s summation was precise: “All Americans are obligated to provide an enormous amount of financial information about their private lives to the IRS—to the government. And in exchange, in turn, what we expect from the government and what we expect from the IRS is that they will secure the data. They will protect the data. The defendant’s crime undermined that faith. It undermined that trust.”
But notice the structure of the prosecutors’ argument. Its premise—”All Americans are obligated to provide”—is treated as an axiom, an unchallengeable precondition. The prosecutors do not ask whether the scope of the mandatory tax reporting obligation is proportional to its purpose, or whether the state ought to possess so fine-grained an image of its citizens’ financial lives. They ask only whether the safeguards were adequate. It is as though, after a burglary of a vault, one were to discuss exclusively the quality of the locks—never whether storing all the gold in one place was prudent.
Littlejohn received five years in federal prison—the statutory maximum under 26 U.S.C. § 7213(a). Five years for stealing the financial data of more than four hundred thousand citizens and attempting to sway a Presidential election. For comparison, Section 1030 of the Computer Fraud and Abuse Act provides for up to twenty years for unauthorized access to federal-government computer systems. The disproportion between the penalty and the scale of the offense is itself evidence that the legislature—in designing a system that compels unprecedented disclosure—did not anticipate what would happen when someone treated the resulting data as a political arsenal.
Section 6103, Section 7431, and the Joint Employment Theory: The Legal Foundations of the Lawsuit
The Trump complaint rests on two legal pillars whose analysis carries fundamental implications for the future of taxpayer data confidentiality protection in the United States.
Section 6103 violation and Section 7431 damages. Section 6103 of the Internal Revenue Code establishes the absolute confidentiality of tax returns and prohibits their disclosure by officers, employees, and contractors. Section 7431 affords aggrieved taxpayers a private right of action for damages against the United States.
The critical legal issue is Littlejohn’s status and the joint employment test. Formally, he was a contractor employed by Booz Allen Hamilton, not an I.R.S. officer. The complaint argues, however, that the I.R.S. exercised “extensive, detailed, day-to-day supervision” over his work—managing the scope of his tasks, monitoring his technical performance, controlling the parameters of his data access, and possessing the authority to discipline and terminate him. Littlejohn himself testified that working at the I.R.S. was his “full-time job” and that his supervisor was Paul Wight, a supervisory management and program analyst at the Department of the Treasury.
This argument already has a precedent. In Griffin v. I.R.S. (Case No. 22-cv-24023, S.D. Fla.), the same court denied in part the government’s motion to dismiss, holding that the factual circumstances supported a “plausible inference that Littlejohn was an employee of the United States.” The Griffin case—brought by Citadel CEO Ken Griffin, one of the affected taxpayers—settled in June, 2024, with the I.R.S. issuing a public apology to Griffin “and the thousands of other Americans” affected by the breach.
Privacy Act violation (5 U.S.C. § 552a). The second pillar concerns the Privacy Act, which imposes on federal agencies the obligation to establish appropriate administrative, technical, and physical safeguards for systems of records containing personal data. Reports by the Treasury Inspector General for Tax Administration (TIGTA), spanning the years from 2010 to 2020, document a pattern of security audit warnings that went unheeded. In 2020, TIGTA disclosed that fifty-four per cent of audited I.R.S. employees had unnecessary access to the Centralized Authorization File, and that the agency “could not provide an accurate inventory of all applications that store or process taxpayer data.”
Cascade disclosure theory and damages calculation. The damages theory is aggressive. The plaintiffs contend that every individual viewing of the disclosed information—by every reader of the Times or ProPublica—constitutes a separate “disclosure” within the meaning of Section 7431, generating a thousand dollars in statutory damages per act. At millions of article views, the ten-billion-dollar figure has a mathematical basis. The plaintiffs cite Snider v. United States (8th Cir. 2006), in which the court held that “direct disclosures to multiple persons multiplies the harm to the taxpayer—one disclosure to two people counts as two separate disclosures.”
Additionally, the plaintiffs seek punitive damages under Section 7431(c)(1)(B)(ii), arguing that the I.R.S.’s conduct was willful or the result of gross negligence. Among the aggravating circumstances, they point to the overtly political character of the disclosures, the targeting of a sitting President, the intent to influence an election, and the agency’s years-long disregard of its own security audits.
Statute of Limitations, Collusive Litigation, and the Conflict of Interest: Counterarguments to Trump v. IRS
On February 5, 2026, a group of former high-ranking officials—among them John Koskinen, a former I.R.S. Commissioner, and Nina Olson, the former National Taxpayer Advocate—filed an amicus brief challenging the suit’s foundations. (Common Cause joined separately with a brief raising similar concerns.) Their arguments deserve serious consideration.
Statute of limitations on the tax claim. Section 7431(d) establishes a two-year window for bringing a claim. The Times published its key articles in September, 2020. The complaint was filed in January, 2026—more than five years later. The plaintiffs parry by invoking Section 7431(e): the Secretary of the Treasury is required to notify a taxpayer “as soon as practicable” whenever any person is criminally charged in connection with the disclosure of that taxpayer’s returns. Trump received such notice only on January 29, 2024. Eric Trump and Donald, Jr., on December 16, 2024. The Trump Organization continued receiving notices for four hundred and eighteen entities as late as May, 2025. The pivotal legal question—whether the limitations period begins to run from the moment the breach becomes publicly known or from the date of formal I.R.S. notification (the discovery rule versus the notification trigger)—could carry precedential weight for thousands of other affected taxpayers.
Proper defendant and contractor status. The amicus brief argues that claims arising from the conduct of a non-employee must be brought against that individual directly, not against the federal government. This, however, stands in tension with the ruling in Griffin, where the court found sufficient indicia of an employment relationship.
The paradox of collusive litigation. This is the most intriguing argument. The sitting President is suing the government he leads. Who will defend the interests of the I.R.S.? The Department of Justice reports to the President. The Attorney General is his appointee. A situation in which the plaintiff controls, indirectly, the party defendant raises fundamental questions about the adversarial integrity of the proceeding. The amicus brief calls it, without equivocation, “collusive litigation.” The New York Times described the arrangement as creating an “enormous conflict of interest.”
The problem of proving financial injury. David Gair, a partner at Troutman Pepper Locke, observes that Trump’s net worth appears to have increased since the leaks—complicating any claim of actual damages. At the same time, a ten-billion-dollar judgment would fall on an agency that, following the Department of Government Efficiency’s involvement across the federal government, has already lost a substantial share of its funding and staff. Gair captures the irony neatly: “It’s hard to build roads if you don’t have funds going into it.”
Global Tax Data Breaches: From the IRS-ICE Scandal to Indonesia, Ecuador, and Argentina
The Trump case, for all its spectacle, is not an isolated phenomenon. It is, rather, the most conspicuous manifestation of a global tax data privacy crisis. And the pattern recurs with striking regularity: the state first compels disclosure, then fails to secure the data, and finally—in the best case—apologizes.
The IRS-ICE Taxpayer Data Sharing Scandal (2026)
In the United States itself, the problem does not end with Littlejohn. In February, 2026, the I.R.S. acknowledged improperly sharing taxpayer data on 47,289 individuals with Immigration and Customs Enforcement—including home addresses that fell outside the scope of the agencies’ data-sharing agreement. A federal judge had barred such transfers in November, 2025; the I.R.S. continued the practice in violation of Section 6103 regardless. Representative Jimmy Gomez called it “an attack on the idea that your tax information is private.” The case represents a textbook instance of mission creep: data collected for the purpose of tax administration repurposed, without the citizen’s consent, for immigration enforcement. If the state can do this with immigrants’ data, it can do it with anyone’s.
Indonesia: 6 Million Taxpayer Records Breached (2024)
In Indonesia, records of more than six million taxpayers leaked from the Directorate General of Taxes in September, 2024—including the personal data of President Jokowi and his sons, offered for sale on a hacking forum for ten thousand dollars. Research published in 2025 found systemic failures: inadequate access controls, no Data Protection Impact Assessments (DPIAs), and deficient breach notification procedures.
Ecuador: Novaestrat Server Exposes Entire Population (2019)
In Ecuador, an unsecured server in Miami owned by the marketing firm Novaestrat exposed the data of 20.8 million people in 2019—more than the country’s total population—including tax-identification numbers, bank-account balances, and employment histories. Despite enacting a personal data protection law immediately after the incident, Ecuador had imposed zero sanctions by 2025—the result of effective tech-industry lobbying that stripped the legislation of meaningful enforcement mechanisms.
Argentina: Systemic Tax Data Abuse
In Argentina, the problem is systemic. A leak of tax-amnesty data in 2017 prompted the dismissal of the deputy director of systems at the federal tax authority AFIP. In 2023, prosecutors revealed a massive illegal surveillance operation in which a former police officer, aided by a tax agency employee belonging to the zealously Peronist La Cámpora faction, compiled dossiers on more than a thousand public figures—including both Presidential candidates—weeks before the election. And in late 2025, the catastrophic Sudamérica Data breach sent more than a terabyte of records to the dark Web, including AFIP/ARCA tax authority databases covering sixty thousand records, social-security data from ANSES, salary information, and current tax filings.
South Korea, Greece, Russia, Turkey: Other Threat Vectors
In South Korea, tax-authority leaks of confidential taxpayer data targeting celebrities have recurred for more than a decade—from TV presenter Kang Ho-dong in 2011 to K-pop star Cha Eun-woo in February, 2026, when the Korea Taxpayers Association filed a criminal complaint against unnamed tax officials and the journalist who first reported details of a confidential audit.
In Greece, the saga of the “Lagarde List”—a roster of nearly two thousand Greeks holding accounts at HSBC Switzerland—became a political thriller: data transmitted by France to Greek Finance Minister George Papaconstantinou in 2010 mysteriously disappeared inside the bureaucratic maze, and when journalist Kostas Vaxevanis published the names, triggering a political crisis, the former minister was subsequently prosecuted for allegedly tampering with the document—charges he denied, claiming he was “a victim of a vicious plot.”
In Russia, the trajectory runs in reverse but toward the same end: instead of protecting data, the state monopolizes it. In December, 2025, the Duma passed legislation granting the F.S.B. the right to copy any private database without a court order, effective April, 2026. In Turkey, counter-terrorism-financing mechanisms have been conscripted for the persecution of exiled journalists—Ankara places their names on sanctions lists alongside members of Al Qaeda and ISIS, triggering the freezing of their bank accounts in third countries.
Each of these cases represents a different threat vector: insider breach, technical vulnerability, political instrumentalization, inter-agency sharing, monopolization by intelligence services. But all share a common denominator: the state amassed data it could not protect, did not wish to protect, or deliberately deployed in ways incompatible with the stated purpose of collection.
Data Minimization and Tax System Design: The Question No One Is Asking
The standard response to crises of this kind is to prescribe more safeguards. Better encryption. Stricter procedures. More frequent security audits. It is a technically correct response and a conceptually sterile one—the equivalent of proposing better locks for a door that, one might argue, should not exist.
The principle of data minimization—collect only what is necessary to accomplish a specific, legally justified purpose—is a foundation of modern data-protection law. The European Union’s General Data Protection Regulation enshrines it explicitly as one of its general principles (Article 5(1)(c)). But the principle is, in practice, not applied to tax systems, which are treated as a sui generis exception: since the state must collect taxes, it must know everything.
Yet “everything” is a spectrum, not a point. Does the state need to know a citizen’s charitable donations in order to collect his tax? Does it need to know his medical expenses? His credit-card-transaction history? The ownership structure of every investment vehicle? The answer depends on the fiscal model adopted—and those models are designed as though the costs of collecting and securing data were zero.
They are not. The Littlejohn case is the proof—not as an anomaly but as the logical consequence of a system that demands maximum transparency from the citizen vis-à-vis the state and then entrusts that data to contractors, subcontractors, and bureaucrats over whom control—as TIGTA demonstrated through years of ignored warnings—is fictive.
The more data the state collects, the greater the value of the prize for a potential intruder—and the higher the cost of protection. The more granular the data, the greater the harm in the event of a breach. The broader the category of persons with access, the harder the oversight. This is not a technical problem amenable to a software update. It is a structural problem, built into the very architecture of a fiscal system predicated on comprehensive reporting.
Alternatives exist. Tax systems based on consumption taxes—a flat tax, the FairTax proposal, a value-added tax—require fundamentally less personal data than progressive income-tax systems with hundreds of deductions and credits. Estonia’s corporate-income-tax model—taxing only the distribution of profits—eliminates the need for annual reporting of the full structure of corporate revenues and expenses. Every simplification of the tax code is simultaneously an act of privacy protection, because it reduces the volume of data that the state must collect, store, and secure.
This is not an argument for fiscal anarchy. It is an argument for proportionality—for the recognition that every datum extracted from a citizen by the state simultaneously creates an obligation to protect it and a risk of its misuse, and that this calculus ought to be weighed in the design of tax systems rather than treated as an externality.
The Tax on Trust: Why Fiscal Privacy Is a Structural Problem
Orwell described a world in which Big Brother collected information about citizens in order to control them. The modern fiscal state inverts this relationship: it is the citizen who is obliged to make a periodic financial confession, disclosing not only how much he earned but how he lived—whom he helped, what ailments he suffered, what he invested in, whom he trusted. And the state—as Trump v. I.R.S. and dozens of analogous cases around the world demonstrate—cannot guarantee that this compelled confession will remain between the confessant and the confessor.
A ten-billion-dollar lawsuit. The paradox of a President suing his own government. Booz Allen Hamilton contracts cancelled years after the breach. Three years of undetected exfiltration of the most sensitive financial data of the most prominent individual in the country. These are symptoms. The disease is a system that demands unconditional transparency from the citizen toward an institution that—repeatedly and demonstrably—is neither able nor willing to reciprocate that trust.
In Nineteen Eighty-Four, the telescreens could not be turned off. Modern tax systems offer the same feature—with the difference that the citizen installs them himself, each April, as he fills out the next round of forms. And with the same hope with which Winston Smith whispered into his diary: that someone, someday, would read it.
Someone did. His name was Charles Littlejohn.
Founder and Managing Partner of Skarbiec Law Firm, recognized by Dziennik Gazeta Prawna as one of the best tax advisory firms in Poland (2023, 2024). Legal advisor with 19 years of experience, serving Forbes-listed entrepreneurs and innovative start-ups. One of the most frequently quoted experts on commercial and tax law in the Polish media, regularly publishing in Rzeczpospolita, Gazeta Wyborcza, and Dziennik Gazeta Prawna. Author of the publication “AI Decoding Satoshi Nakamoto. Artificial Intelligence on the Trail of Bitcoin’s Creator” and co-author of the award-winning book “Bezpieczeństwo współczesnej firmy” (Security of a Modern Company). LinkedIn profile: 18 500 followers, 4 million views per year. Awards: 4-time winner of the European Medal, Golden Statuette of the Polish Business Leader, title of “International Tax Planning Law Firm of the Year in Poland.” He specializes in strategic legal consulting, tax planning, and crisis management for business.
