The IRS is notifying more taxpayers impacted by the Littlejohn data breach, where former IRS contractor Charles Littlejohn illegally accessed and distributed private tax information of corporate and wealthy individuals, including former President Donald Trump and other billionaires. Littlejohn also disclosed tax return information of thousands of others. The IRS is required to give notice to any additional victims of the breach, even if their names were not published, and is now doing so. Littlejohn accessed the returns on an IRS database and disclosed the data to certain news organizations.
Littlejohn worked for a government contractor from 2017 to 2021, where he accessed returns and return information dating back over 15 years covering thousands of wealthy individuals and disclosed it. He provided the data to “News Organization 2,” which published over 50 articles using the stolen data. Littlejohn used techniques to conceal his queries and evaded IRS protocols to save the tax returns to personal storage devices. He was charged with disclosing tax return information without authorization and pleaded guilty to unauthorized disclosure, receiving a five-year prison sentence in January 2024.
The IRS is now sending out notifications to taxpayers impacted by the breach, with at least 152 victims identified whose tax information was published by the media. The government notes that Littlejohn disclosed the tax return information of thousands more individuals, but their information was not published. To reach these additional potential victims, the government proposed providing public notice on the Department of Justice website, offering information about the case, court hearings, and significant case-related documents for individual potential crime victims to contact with questions.
Under the tax code, the Secretary of the Treasury must notify taxpayers if a person is criminally charged with unauthorized inspection or disclosure of taxpayer returns or return information. Victims may be able to sue for damages under section 7431, with limitations on the amount of damages based on unauthorized inspection or disclosure of tax information. Littlejohn was an independent contractor, and there are ongoing legal challenges regarding whether taxpayers can sue the United States or the individual responsible for damages.
Taxpayers impacted by the breach are receiving Letter 6613-A, IRC 7431(e) Notification Letter, indicating an IRS contractor was charged with unauthorized disclosure of their tax information between 2018 and 2020. The letter advises taxpayers about the Crime Victims’ Rights Act and provides a link to the website related to the Littlejohn case. Damages in a civil suit may be limited to the greater of $1,000 for each act of unauthorized disclosure or actual damages, with the possibility of the taxpayer being entitled to punitive damages and attorney fees.
Taxpayers concerned about their compromised data are encouraged to consult with a tax professional. The IRS recommends opting into the Identity Protection Personal Identification Number (IP PIN) program to protect against identity theft, specifically related to tax-related identity theft. Taxpayers can obtain an IP PIN online, by phone, or by filing a form by mail or fax. It is essential for everyone to take steps to protect their personal information and prevent identity theft.
