Trump has refused to provide his returns, saying without evidence that they are under audit.
Enter two Haverford College undergraduates.
Justin Hiemstra, 22, and Andrew Harris, 24, watched the political debate over Trump’s returns before the 2016 election, and already familiar with the federal student aid process, began to mull how an online financial aid site could be a gateway to the returns.
“It was like Beavis and Butt-Head saying, ‘Hey, let’s get this,’ ” William J. Brennan, an attorney for Harris, told The Washington Post on Wednesday, a day after Hiemstra pleaded guilty to two charges of computer-related fraud.
On Nov. 2, six days before the election, Harris and Hiemstra set out for Haverford College Roberts Hall, wielding login credentials from two other students. They went to work on two university computers, prosecutors said in court filings, with one student telling investigators that Harris discussed releasing the returns to the media if they were successful.
The plan, court filings show, was this: Open a false federal student aid application in the name of a Trump family member, follow a link that redirects to the Internal Revenue Service and retrieve relevant tax return information.
They immediately hit a wall. Trump already had an ID associated with him, and they needed to reset the password by answering security questions.
Apparently the answers involving one of the most prominent families of the 21st century were easy enough to find on Google. After a search on a separate computer, the questions were successfully answered and the password was reset. Then they entered Trump’s Social Security number, filings show.
“Among other things, they needed the IRS filing status and home address for Trump to gain access to Trump’s tax records and made multiple attempts to answer correctly, but failed,” prosecutors wrote.
The activity was monitored by the IRS and the Department of Education, and the IP logs linked back to Haverford, outside Philadelphia. It is unclear from court filings which Trump family member was in the federal student aid system.
The students appeared aware this might happen. Hiemstra swiped his student ID at the computer lab and left to swipe at a different building afterward “in an attempt to disguise his whereabouts,” prosecutors wrote.
Hiemstra pleaded guilty to two misdemeanor charges in federal court Tuesday, with a sentencing set for Dec. 16. He faces a maximum sentence of two years in prison and a $200,000 fine, court records show.
His attorney, Michael van der Veen, said Hiemstra took responsibility for his actions in court and lauded him as a Fulbright scholar with no prior record. The men are “wicked smart” and tech savvy, he said, and tried to crack each other’s computer systems.
“When this idea came up, they saw it as a challenge,” van der Veen said. Hiemstra completed coursework for his degree but has not yet received his diploma, which is contingent on overseas language instruction, said Thomas H. Lee, an attorney representing Haverford.
It was Lee’s understanding a plea deal for misdemeanors helped ease travel restrictions, as opposed to a felony conviction, he said.
Harris was expelled from Haverford in October 2017, about a year after the incident, court records show. Lee declined to say why he was expelled.
Brennan, Harris’s attorney, said he expects a similar guilty plea deal to occur for his client, but he said he was not certain.
“Got to dance on it a little bit though, because he can always change his mind,” Brennan said. “You never know until the bell rings.”
While Brennan and van der Veen downplayed the breaches as college pranks gone awry, a computer crime expert said the indication Harris was going to release information to reporters carried a high potential for impact before the election.
“I would consider it activism-related doxing if you believe the intention was to sway people,” said Rob D’Ovidio, an associate professor at Drexel University. “It’s no different than what the Russians were doing.”
Any unauthorized release of sensitive personal information, he said, is permanent and long-lasting. “They’re not pranks,” D’Ovidio said. “People need to realize [security breaches] have serious ramifications.”