|
Reports Say H.P. Relied on Its Own Boston Security Unit
SAN FRANCISCO, Sept. 14 — Hewlett-Packard’s search for directors that it suspected had leaked confidential information to the news media relied on an arm of the company’s own security force based in Boston, people briefed on the internal investigation said late Thursday.
The company’s use of its Global Investigations Unit, a Boston-based group responsible for investigating crimes against the company, provides a potentially intriguing geographic link to prosecutors. They have been exploring whether, how and why Hewlett-Packard, the Silicon Valley technology giant, came to rely on information provided by a small detective firm run from a suburban Boston home.
People briefed on the company’s internal investigation say the source of the leak was explored in part by Anthony Gentilucci, who is based in Boston as manager of global investigations for Hewlett-Packard Global Security Services.
Attempts to reach Mr. Gentilucci by phone for comment Thursday evening were unsuccessful. A spokesman for Hewlett-Packard declined to comment.
Mr. Gentilucci is also listed as the president of the New England chapter of the High Technology Crime Investigation Association, a group of Boston-area law enforcement officers, private detectives and corporate security officers.
The treasurer of that group, Kevin M. Mazza, is a senior investigator with Hewlett-Packard. When Mr. Mazza was contacted by a reporter Thursday evening and asked about the leak investigation, he hung up the phone.
California state and federal authorities are investigating Hewlett-Packard’s hiring of private detectives who used illicit methods in obtaining personal phone records to trace leaks. In addition to records of its directors and journalists, those of two employees and several other people were obtained, the company said this week.
Patricia C. Dunn, the Hewlett-Packard chairwoman, has said that she turned to Hewlett-Packard’s head of security in April or May 2005 to trace a news leak from the board. Ms. Dunn has said she asked the help of the company’s general counsel, Ann Baskins, in an investigation of leaks in 2006.
Prosecutors have been examining the role of a small Boston-area private detective firm, Security Outsourcing Solutions. According to the company’s Web site, it serves as a security and private detective agency that provides specialists to other investigators and companies.
The managing director of Security Outsourcing Solutions, Ronald R. DeLia, did not return calls or e-mail messages seeking comment.
Corporate security consultants said that in an internal investigation of this nature, a company would typically wind up relying on a chain of subcontractors to farm out various aspects of the operation.
Hewlett-Packard has not publicly identified the investigators it used, though state authorities say the company has been cooperative.
The trouble for H.P. has centered on the use of a technique called pretexting, which involves impersonating an individual to get access to that person’s calling records from the phone company.
The California attorney general has said that the use of pretexting is illegal in the state and that he expects indictments within and outside the company.
The company has retained a Philadelphia law firm, Morgan, Lewis & Bockius, which specializes in white-collar criminal defense, according to several law journals.
News of the investigation and the methods it entailed became public last week and has resulted in a major shake-up on the Hewlett-Packard board. George A. Keyworth II, a director whom the company identified as a source of disclosures, resigned after Ms. Dunn agreed to step down as chairwoman. He has denied leaking anything confidential to a reporter.
On another front, William S. Lerach, the San Diego plaintiffs’ lawyer, filed a lawsuit Thursday against H.P.’s board and the tiny Boston private investigations firm accusing them of breach of fiduciary duty, waste of corporate assets, abuse of control and violations of other state laws.
Mr. Lerach typically files suit against troubled companies seeking damages because the price of the stock has fallen. But in this instance, Hewlett-Packard’s stock has scarcely been affected.
Posted: Wednesday, September 6 at 04:34 pm CT by Bob Sullivan
Let's get one thing straight, once and for all: Looking at someone else's telephone records without permission is wrong. And illegal.
It is shocking that this basic, obvious conclusion has repeatedly escaped companies, debt collectors, law enforcement officials and, now, one of America's biggest and most respected companies. The story of Hewlett Packard's boardroom intrigue, which includes spying on directors’ phone records, is a window into a dirty world that should have been cleaned up long ago.
To recap, HP Chairwoman Patricia Dunn was frustrated by leaks coming from another board member, evidenced by anonymous comments that were included in a story published by CNET.com back in January. To find the leaker, she ordered a secret review of board members’ private telephone records. The company hired an outside investigative firm to obtain the records, which it did by using a method called “pretexting.” Then, word came that investigators working for HP also obtained reporters' private phone records.
All last week, the story spun wider, with the California state attorney general, the U.S. Justice Department, and Congress all indicating they were investigating. Then on Tuesday, Dunn said she would step down as chairwoman early next year, and apologized for the incident. She indicated she would remain on the company's board of directors.
Dunn's resignation is hardly the end of the affair, however. That will only come when all of corporate America and all of the investigative underground comes to the basic realization that pretending to be someone else to obtain their private information is criminal identity theft.
Reading HP's official explanation for the incident, filed last week with the Securities and Exchange Commission, it's clear that message has not gotten through. The reasoning in the filing is abominable. Let me boil it down for you; Parents will recognize the excuse.
"But he said it was OK."
The twisted logic used to justify phone record theft shows why this decade-long attack on personal privacy, this dirty trick, remains so common after years of congressional hearings, dozens of attempts at legislation and a lot of public embarrassment.
By now, you've probably read several stories about "pretexting." Private investigators impersonate consumers and trick customer service representatives into divulging calling records and other personal information. The calls are placed using a false pretext -- hence the name.
Pretext callers become masters of disguise. Many know how to sound like a young woman, or an old man, in order to fool corporate answer desks. Sometimes, the trick is even easier. They just sign up for online billing access at a Web site. Often, all you need is a name and part of a Social Security Number.
Somehow, people who do this have become convinced that it might not be illegal. Clearly, HP was. Here's what its SEC filing said:
"After its review, the (Nominating and Governance) Committee determined that the third party retained by HP’s outside consulting firm had in some cases employed pretexting. The committee was then advised by the committee’s outside counsel that the use of pretexting at the time of the investigation was not generally unlawful (except with respect to financial institutions)."
I love the phrase "not generally unlawful." I will use that the next time I am pulled over for speeding.
Having written about pretexting for some five years, I know how these things go. Back when the inquisition began, someone at HP turned to a PI, who said he could get telephone records that would enable management to find out who had been talking to reporters. At some point, someone with a smidge of ethics asked, "But how do you get them?" and the investigator answered, "from publicly available sources." The conversation ended there.
Someone with a lot of ethics, however, wouldn't stand for that. Board member Tom Perkins resigned in May when he learned of the tactics used to obtain his phone records. His appeal to AT&T for information regarding anyone who looked at his phone records, and AT&T's response, are fascinating reading - courtesy of The Smoking Gun.
But one has to wonder why he was the only one to stand up at that moment. Kudos to Perkins; shame on everyone else in the room.
Consumers can sometimes be fooled into thinking that pretexting isn't specifically illegal -- that perhaps somewhere there is a legal public source for phone record data -- but the timing of this incident is important. The investigation occurred between January and May of this year. Throughout that time, there were numerous news stories in all the national newspapers and on the TV networks about Congress investigating the very behavior HP paid for. In December, a blogger had purchased Democratic presidential candidate Gen. Wesley Clark's cell phone records, starting a firestorm of news coverage. Nearly a dozen bills were introduced in Congress this spring to deal with the problem. A congressional inquiry uncovered embarrassing evidence that law enforcement officials had purchased records from Web brokers using pretext methods.
All that news makes it impossible to argue that directors at a high-tech firm would have no grasp of the fundamental issues at play.
As for the legal vagaries, there really aren't any. Lying about who you are to get access to computer records is a crime. It's hardly new; it's called social engineering in computer hacker circles. It may be clever, but it's wrong, and it's against the law. Hackers like Kevin Mitnik have been sent to jail for social engineering.
Viet Dinh, a former Bush administration Justice Department official, who has been retained as an attorney by Perkins, said HPs "we didn't know" defense is hard to believe.
"I think the prevalence of third party information often dupes an unwitting consumer to think that pretexted records are legal," he said. "But it is hard to see how HP could be unwitting here, when the company's chairwoman apparently custom ordered the fraud. Whether one analogizes the conduct to receiving stolen property or ordering a hit, it is still illegal."
Specifically, Dinh said he felt pretexting also ran afoul of the nation's Computer Fraud and Abuse Act, which makes computer hacking illegal.
"A pretext to obtain records stored on a computer is unauthorized access to that computer, so I think fits squarely within both the colloquial and legal definition of hacking," he said.
A criminal investigation into HP’s pretexting has been opened, according to the California attorney general’s office. Robert Morgester, deputy attorney general in California, said he couldn’t discuss the case. But he agreed that pretexting is clearly illegal.
"If an individual was able to trick their way into a secure network ... through impersonation ... that's hacking by social engineering," he said. "The general rule of thumb is if you are getting into somebody else's network, you are committing a variety of crimes."
Morgester said pretexting could run afoul of two state laws: California's identity theft statutes, which make it illegal to use someone else's personal information to commit a crime, and the state's computer crime laws, which make unauthorized access to databases illegal.
The continued debate about pretexting's legality frustrates Rob Douglas, who operates PrivacyToday.com. Douglas has testified about a dozen times before Congress since 1998 about the problem of pretexting.
"I have absolutely no doubt that this is far more common than anyone wants to believe," Douglas said.
If there was any doubt about that, consider this: The California attorney general's office tells me it is currently investigating six "major" pretexting cases akin to the HP case. And if there's any doubt about the fragility of your personal information and the willingness of companies to abuse it, this story should relieve you of that doubt. If it can happen to a board member at HP, it can happen to you.