The US Treasury Department recently announced that it is cancelling all of its contracts, reportedly valued at $21 million, with technology provider Booz Allen Hamilton (BAH) due to an insider incident that occurred between 2018 and 2020. The incident resulted in the theft of tax return data for more than 400,000 US taxpayers and the release of tax information about high-net-worth individuals, including US President Donald Trump, Amazon founder Jeff Bezos, and Tesla CEO Elon Musk to media outlets. 

Court records indicate that Charles Littlejohn was charged with one count of disclosing tax return information without authorization. While employed by BAH as a government contractor working for the IRS, Littlejohn accessed tax records for wealthy individuals and provided some of those records to media outlets between 2019 and 2020. Littlejohn pleaded guilty in October 2023 and was sentenced to 5 years in federal prison in January 2024. 

Insider Incident Or Targeted Attack? 

According to reports, Littlejohn sought out his role at BAH with the purpose of gaining access to tax information about wealthy US taxpayers. Journalist Kim Zetter reported that Littlejohn’s attorney said that “he actually applied to two different consulting firms ‘that might put him on a project to access the President’s tax returns’ and Booz Allen chose to rehire him.” While employed by BAH, Littlejohn allegedly: 

  • Searched IRS databases and concealed his queries by using broad search parameters. 
  • Circumvented IRS controls designed to limit data downloads. 
  • Saved the data to a personal iPod. 
  • Uploaded the tax return data to a private website. 
  • Leaked the data to media outlets. 
  • Deleted information to cover his tracks. 

Federal prosecutors assert that Littlejohn was by political ideology. Court filings contend that Littlejohn “weaponized his access to unmasked taxpayer data to further his own personal, political agenda, believing that he was above the law.” He allegedly believed that he was serving the country by stealing and releasing this sensitive tax information on rich and powerful individuals. 

This case serves as a warning to consultancies, government agencies, and private companies that politically-motivated individuals will go to great lengths to gain access to their sensitive data and systems in order to carry out their agendas. 

Protect Against Insider Risk And Weaponized Insiders 

Forrester data shows that 22% of data breaches are the result of insider incidents. As demonstrated in the case of Charles Littlejohn, the impacts of an insider incident can be severe and costly. 

Common outcomes of insider incidents include: 

  • Fraud and financial gain. 
  • Intellectual property theft. 
  • Sabotage and destruction. 
  • Snooping, leaking, and doxing. 

Ideology is a common motivator for insider incidents. Other motivators include factors like financial distress, disgruntlement, and revenge. Protecting against malicious insiders requires specific focus since insiders have access and insider knowledge about data and systems. They may even have some knowledge of security controls or are being helped by external actors. 

It may not be possible to detect every hire with malicious intent, but insider risk management (IRM) starts with the hiring process. Background checks and security interviews can identify some risks. Determined adversaries, however, may not reveal their true motivation before being hired. Finding and stopping these actors requires IRM. 

IRM is an ongoing program to protect against, detect, and respond to insider incidents. Best practices to reduce insider incidents include: 

  • Developing a dedicated IRM function. 
  • Controlling access to sensitive information and systems, following Zero Trust principles. 
  • Looking for signs employees are under financial distress, are disgruntled, have grievances with coworkers or managers, disagree with company policies, or are exhibiting signs of outside influence. 
  • Monitoring employee behavior to detect suspicious or abnormal activity (like searches, downloads, or file movement). 
  • Blocking the exfiltration of sensitive information to cloud storage, via email, or to external storage devices. 
  • Having consistent processes in place for investigating and responding to insider incidents that include forensic data capture and chain of custody management. 

Treat all insider incidents (whether accidental or malicious) as if they will end up in court. In the event you have to refer an incident to law enforcement (like the Littlejohn case), you’ll be expected to provide evidence of what happened, so the case can successfully prosecuted. Even if law enforcement isn’t involved, be ready for potential civil actions. 

My colleague Jess Burn and I are speaking about insider incident response at RSAC Conference 2026. Our session is titled, Disgruntled Employees to Deepfaked Identities: Navigating Insider Response. 

Let’s Connect 

Forrester clients can schedule an inquiry or guidance session with me to do a deeper dive on insider risk, learn how to start their own insider risk management program, or discuss incident response best practices.