Man convicted after trying to exploit FAFSA vulnerability


One of the people who took advantage of a cybersecurity flaw in the federal student aid application to attempt to access others’ private tax return information pleaded guilty Monday in a federal court.

Jordan Hamlett, a Louisiana private investigator, faces up to five years in prison and a $250,000 fine for repeatedly inputting Donald Trump’s Social Security number as his own in a Free Application for Federal Student Aid (FAFSA) form last year. Hamlett was using the Internal Revenue Service (IRS) Data Retrieval Tool, which is designed to simplify the federal student aid application process, in an attempt to obtain Trump’s federal tax information from the IRS.

At the time of Hamlett’s six unsuccessful attempts — September 2016 — Trump was the Republican nominee in the U.S. presidential election and had broken from tradition by refusing to release his tax returns; now president, Trump still has not made his tax returns available to the public.

The IRS Data Retrieval Tool — the FAFSA function that allows students to automatically import their tax return information from the IRS — has had a rocky year, not least because of Hamlett’s high-profile abuse of the tool.

In March of this year, the IRS and U.S. Department of Education took the DRT offline due to “concerns that information from the tool could potentially be misused by identity thieves.”

The agencies reinstated the tool on Oct. 1, the same day the FAFSA form became available for college students planning to apply for federal aid for the 2018-19 school year. In the interim, department officials added privacy and security features, limiting which data applicants can see when they directly import their tax information.

“My office, together with our federal, state, and local partners, will continue to aggressively pursue those engaged in the proliferation of identity theft and cybercrime, particularly when involving attempts to fraudulently obtain sensitive information from federal government databases,” acting U.S. Attorney Corey Amundson said in a statement posted to the U.S. Department of Justice’s website.

“Mr. Hamlett’s guilty plea should serve as a warning to anyone who misuses the personally identifiable information of others to access protected computer systems for unlawful purposes: you will be caught and held accountable for your criminal actions,” said Robert Mancuso, special agent-in-charge of the Education Department.