Over the past several days reports have come to light that indicate that Hewlett Packard‘s investigation into boardroom leaks may have gone too far, including impersonation of HP board member Tom Perkins of well known venture firm Kleiner Perkins Caufield and Byers and now break ins to voice mail boxes of reporters covering the story.
The investigations were initiated after confidential information known only to HP’s board appeared in a CNET News article on January 23rd. According to WIRED News, Perkins and other board members were apparently not informed of the extent of HP’s investigation or the methods being used until May 18, when in a board meeting on that date, Patricia Dunn, chairman of the board of directors, announced that investigators had discovered the identity of the source for the CNET story. The investigation by HP has apparently determined that board member George Keyworth was the source of the leak of confidential information. Keyworth has refused to step down from his board seat, but apparently will be voted out at the next HP board meeting.
Perkins resigned in protest and apparently later requested information on how Dunn identified Keyworth as the leak. Perkins is apparently cruising the Mediterranean in his new $100 yacht the Maltese Falcon and isn’t talking to the press about the incident.
What is really interesting about this case is that investigators hired by HP appear to have broken the law in order to conduct their investigation by using a technique well known to criminals and private investigators called “pretexting”. Pretexting is the practice of getting personal information under false pretenses. According to WIRED News, “Dawn Kawamoto and Tom Krazit of CNET, and Pui-Wing Tam of The Wall Street Journal were contacted this week by the California attorney general’s office regarding allegations that investigators working for HP had impersonated them to obtain their private phone records”. WIRED also reports that as many as seven other reporters’ records may have been improperly accessed including those of a Business Week reporter.
Pretexting isn’t a recent development, but this is the first case of a corporation using pretexting to investigate board members or employees that I’ve heard about. Generally pretexting targets individual consumers and is used as part of identity theft scams. Pretexting works by using easily obtained personal information from which private information is subsequently obtained. For example, a pretexter might call a prospective victim pretending to be from a survey firm to obtain personal information about the victim. Using this information the pretexter then uses it to obtain private information from a financial institution, communications or utility provider, etc. The pretexter pretends to be the victim or someone else with authorized access to the victim’s account. Pretexters are often able to obtain personal information such as Social Security numbers, checking and credit card account numbers, and credit reports. In some cases pretexters can determine the existence and size of savings accounts or investment holdings. It is also possible to directly attack a victim through pretexting, for example by cancelling insurance, terminating utility services, or running up large bills for extra services not required by the true account holder.
According to Information Week, HP claimed in a recent SEC filing that pretexting is “generally not unlawful” but that’s false. The Gramm-Leach-Bliley Act specifically addresses pretexting and makes it an illegal act punishable under federal statutes. Plausible denial? Investigators hired by Dunn apparently subcontracted another firm to actually do the dirty work, so it’s not clear yet who if anyone will be charged in this case.