HP CEO Sorry That Spies Prowled And Pretexted
In Hewlett-Packard's most extensive and forthcoming attempt at damage control, president, CEO, and now chair Mark Hurd stepped forward to present a timeline and detailed account of the company's spy scandal.
In Hewlett Packard's most extensive and forthcoming attempt at damage control, President, CEO and now Chair Mark Hurd stepped forward to present a timeline and detailed account of the company's spy scandal.
Hurd appeared at a press briefing Friday afternoon with Michael Holton, a lawyer Hurd retained about two days after details of HP's probe went public. Hurd asked Holton's firm, Morgan Lewis, to examine thoroughly HP's role. The examination found that HP employees participated in some questionable activities, including at least one instance of using a social security number to obtain phone records through pretexting.
California Attorney General Bill Lockyer said pretexting, the act of pretending to be an account holder to obtain phone records, is illegal in his state. Federal laws are less clear, but that has not stopped the U.S. Department of Justice from looking into HP's role in pretexting.
In a stern tone of voice, Hurd said Friday that he feels "very strongly that leaks hurt the company's reputation and its ability to operate effectively."
"It was the responsibility of the HP Chairman to pursue the leak situation," he said. "This was taken very seriously and this was an appropriate course of action."
Hurd apologized to journalists and others affected by the probe and reiterated that it has nothing to do with his company's strategy or business goals. He also stressed that the probe does not reflect HP's values.
"Some of the findings that Morgan Lewis has uncovered are very disturbing to me," he said. "The people of HP don't deserve this nor do any of the people who were impacted."
Hurd said he could not guarantee that he will ever have all of the facts because of the number of people outside of HP who were involved in the probe.
"The more I look into it, the more complicated it becomes," he said. "As of today, we still do not have all of the facts."
Hurd said he takes full responsibility "for getting this right," and HP issued a series of statements regarding the probe.
Morgan Lewis, now representing HP in all federal and state inquiries related to the probe, has obtained more than 1 million pages of documents relating to the probe. Holton said the firm is continuing to review those documents.
"Certain HP executives and employees assisted in, or were knowledgeable about the investigation," he said. "It is now clear that the investigation included tactics that ranged from the review of HP's internal emails and instant messages, to the physical surveillance of an HP Board member and at least one journalist, to the "pretexting" of telephone call information of board members, HP employees and journalists." ***The Probe's Supervision, And Lack Of***
Holton said HP's investigation into media leaks of confidential company information began in early 2005. He said Chairwoman, Patricia Dunn, who resigned Friday, had contacted Security Outsourcing Solutions, Inc., (SOS) a company HP had used in the past. For the first month, Dunn worked with SOS investigator Ronald DeLia to find out how Business Week, The Wall Street Journal and The New York Times were obtaining company information. That was the first phase of an operation named "Kona," for Dunn's Hawaii vacation home.
Within two months, HP Global Security began assisting with the probe. In July 2005, Dunn, HP General Counsel Ann Baskins, HP Global Security Chief Jim Fairbaugh, Global Investigations Manager Tony Gentilucci and DeLia met for a briefing, Holton said. Hurd also attended a portion of the meeting, according to Holton's account.
The source of the leaks was not identified and a second phase, called "Kona II," began in January of 2006, in response to a CNET story, Holton said.
DeLia, Gentilucci, HP Global Security Senior Investigator Vincent Nye, and HP IT Security employee Fred Adler formed a "core" team to conduct the second phase. HP Senior Counsel Kevin Hunsaker served as the team leader, according to Holton.
"In the second phase, while many of the right processes in were place, they unfortunately broke down and no-one in the management chain including me, caught them," Hurd explained Friday.
Dunn, Hurd, Baskins and Fairbaugh knew that the team had formed and was investigating the leaks. Dunn and, to a lesser extent, Baskins received regular updates.
"Members of the investigation team provided assurances that the techniques being used in the investigation were legal," Holton said. "Those assurances came from, among others, Kevin Hunsaker, SOS and SOS's outside legal counsel in Massachusetts."
Hurd said that, as he recalls, investigators told him in February 2006, that they intended to send an email containing false information to identify the source of the leaks.
"I was asked to, and did approve the naming convention that was used in the content of that email," he explained. "I do not recall seeing nor do I recall approving the use of tracer technology."
In March 2006, the team prepared a draft report identifying the source of the media leaks, according to Holton.
"The report identified the source of the leaking and outlined the investigative techniques employed -- including pretexting -- with assurances that those techniques were lawful," Holton said.
Hurd said he attended a meeting and received a verbal summary of the second phase of "Kona," which focused on the fact that the investigative team had identified the source of the leaks.
"I understand there is also written report of the investigation addressed to me and others but I did not read it," he said. "I could have, and I should have."
In April 2006, HP provided a copy of the draft report to its outside corporate counsel for review and comment, Holton said. The results of the investigation were reported on at the May 18, 2006 board meeting, he said.
"On May 24th, Kevin Hunsaker produced a final report of the investigation," Holton said. "We are not currently aware of any investigation into leaks continuing after May 18, 2006." ***What Spy Techniques Were Considered and Used***
The spy techniques that investigators used included pretexting, the use of social security numbers to obtain private records, physical surveillance and the deployment of an e-mail tracer in an email from a fictitious person with a bogus news tip. HP employees were directly involved in some of the methods, according to Holton.
Investigators considered placing spies in newsrooms by having them obtain jobs as clerks or cleaners but decided against that course of action. It is unclear how and why that method was discarded while others -- now under federal and state investigation -- were used.
"Information regarding hundreds of telephone calls was obtained through pretexting," Holton said. "We are trying to respect the privacy of the individuals involved and thus we will not be disclosing the identity of the individuals investigated. HP fully intends to provide each person with detailed information about the information obtained about them and the methods used for obtaining such information."
Holton said he has evidence that SOS, directly or indirectly, obtained telephone (landline or cell) or facsimile call information through pretexting. Those records include calls made to and from the phones of two current HP employees, seven former or current HP board members (or their family members) and nine journalists, or family members of some journalists.
"I want to stress that to the best of our knowledge, this activity was conducted by an outside investigator," he said. "As a result, it has been difficult for us to obtain all of the relevant documentation so far."
In January 2006, Gentilucci, HP's global investigations manager and a core investigative team member, provided an HP employee's social security number to SOS, Holton said.
"We believe this was done for the purpose of obtaining telephone call information through pretexting," Holton said.
SOS also obtained and transmitted social security numbers to the Action Research Group, a subcontractor of SOS. Holton said it appears that the personal identification numbers were used to obtain phone records through pretexting as well. It also appears that social security numbers were used to obtain information about at least three journalists, three current or former HP board members and one HP employee, Holton said.
"It is unclear what involvement, if any, HP employees had in obtaining and/or transmitting this information to SOS," he said.
In January 2006, investigators also used a tracer, which is frequently used by companies trying to understand the behavior of their customers. They can be used to obtain information, including the IP address of the person who downloads the tracer.
Investigators pretended to be a disgruntled HP executive offering a news tip to a reporter. They embedded a tracer in an e-mail with the supposed story tip to see if the journalist would forward it to her source. The reporter, Dawn Kawamoto, of CNET, did not write about the bogus story. Holton said evidence suggests that investigators never received confirmation that Kawamoto ever activated the tracer. Reporters do not routinely share information from one confidential source with another.
"The concept of sending the misinformation to the reporter and the content of the misinformation to be contained in the message of the email was approved by Mark Hurd," Holton said. "We have found no evidence that he was asked to approve the use of the tracer."
SOS investigators prowled for journalists at board meetings. They followed a board member to Colorado, where they had him and "potentially other family members who were at the board member's residence in California" under surveillance. They also snooped and spied on a journalist at her home.
"We also have evidence that in February 2006, third party investigators may have conducted a search of individuals' trash," Holton said. "However, at this time, we do not know who the targets of these efforts were."
The good news for HP is Morgan Lewis' investigation did not turn up any evidence that HP employees authorized or had knowledge of any use of online accounts created or used to obtain telephone call information. Holton also said that there is no evidence that phones were wiretapped or that keystroke loggers were used.
In trying to discern how others obtained valuable HP information, it appears the company's investigators did stop short of entering another business to obtain that business' valuable information. Holton said that, although investigators considered it, no spies posed as cleaning people or clerks to sneak into publishing offices and gain access to writers' information.
***After The Media Leak Probe***
Hurd said that he got involved around the time he received an e-mail, after the May 18 board meeting, during which Tom Perkins resigned in protest of the probe. Hurd then hired Morgan Lewis to review the probe. This week, Hurd volunteered to speak at an upcoming congressional hearing on HP's probe and the related use of pretexting.
The company also appointed Bart M. Schwartz, a former U.S. prosecutor, as counsel, to perform an independent review of investigative methods and the company's Standards of Business Conduct processes. He will make future recommendations for implementing best practices. He will report his findings and recommendations to Hurd and to Bob Wayman, HP chief financial officer.
Since the scandal broke, HP has amended its bylaws at least twice, once to reduce the number of board members from 11 to nine. Friday, the company lowered the number to eight.
The company stated that it is also cooperating with investigations by the enforcement division of the U.S. Securities and Exchange Commission and the U.S. Department of Justice.
Finally, HP stated that it is "seeking to take appropriate action in connection with the investigation into leaks from its boardroom."
"We have spent the past few weeks getting further clarity as to what happened in the investigation into the disclosure of unauthorized material from the board," Hurd said. "While this process is not yet complete, it is clear that inappropriate steps were taken in conducting this work. I wish to apologize both personally and on behalf of HP to each of those who were affected. We believe these unacceptable measures were isolated instances that do not reflect the broader behavior and values of HP, its employees or its board. But they cannot occur here again. Our actions today are intended to ensure that they never do."
The company's latest moves came after media questioned whether Hurd, who had turned the company around, had played a bigger role than previously thought. That sent HP stocks tumbling 5.19 percent Thursday in their first drop in more than six months. The stocks recovered 0.69 percent Friday to close at $35.11.
About the Author
You May Also Like
2024 InformationWeek US IT Salary Report
May 29, 20242022 State of ITOps and SecOps
Jun 21, 2022