Offering a partial mea culpa, but refusing to take questions during a press conference Friday, chief executive Mark Hurd admitted he had known about some aspects of the spying. But what he knew about the possibly illegal practices, and when, remained open questions.
While many of the right processes were in place, unfortunately they broke down and no one in the management chain, including me, caught it, he said.
While Hurd apologized for his company’s behavior, and for the behavior of certain employees and third-party contractors, he shielded himself from much personal blame by saying he had only attended small portions of relevant meetings and had not fully read important documents.
A day earlier, HP’s shares had taken their first significant dip since the story broke two weeks earlier. That was when Hurd’s name first arose in connection with the scandal, so it is perhaps not surprising that he sought to distance himself personally from the investigation on Friday.
HP has now admitted that it paid third-party investigators who used deception to open online phone bill accounts in other people’s names, as well as physically surveilling at least two people and going through the trash of at least one person.
Nine journalists, seven HP directors, two HP employees and various family members were targeted in two investigations, which came in mid-2005 and early 2006.
The actions were designed to smoke out a member of HP’s board of directors who was leaking information to the press. The probes ultimately identified George Keyworth as the leaker. He resigned two weeks ago, after news of the surveillance and hacking broke.
Investigators also tried using a tracing mechanism, most likely a web bug, in faked internal documents that were leaked to a CNet News.com reporter. The company even considered planting spies in the San Francisco newsrooms of the Wall Street Journal and CNet.
The investigations were launched at the instigation of Dunn, and involved at least six other HP employees, including Hurd, one outside contractor and one subcontractor, according to Mike Holston of the law firm Morgan Lewis.
Holston was hired by Hurd on September 8, three days after the scandal started making international headlines. He has been tasked with investigating the methods used to plug the board leak.
He said that two operations, named Kona I and Kona II, took place in early 2005 and early 2005. The first investigation was unsuccessful in identifying the leaker.
The investigations included tactics that ranged from the review of HP’s internal emails and instant messages, to the physical surveillance of an HP Board member and at least one journalist, to the pretexting of telephone call information of board members, HP employees and journalists, he said.
Dunn called first on Security Outsourcing Solutions Inc, an investigations firm headed by on Ron DeLia, based in Boston. SOS had a longstanding contractual relationship with HP, Holston said.
Kona I targeted HP directors and reporters from Business Week, the Wall Street Journal and the New York Times. After two months, DeLia was joined by HP’s internal Global Security division.
The results of the investigation, which were inconclusive, were presented at a July 2005 meeting attended by DeLia, Dunn, general counsel Ann Baskins, chief of global security Jim Fairbaugh, head of global investigations Anthony Gentilucci, and senior counsel Kevin Hunsaker.
Mark Hurd also briefly attended a portion of the meeting, Holston said.
Kona was revived in January this year as Kona II, after Keyworth leaked details of a board retreat to News.com reporter Dawn Kawamoto.
This investigation was headed by Hunsaker. Tony Gentilucci, Vincent Nye and Fred Adler of HP’s security teams were also involved, as was SOS’s DeLia.
As part of Kona II, Kawamoto’s phone records were hacked using her husband’s social security number.
Information regarding hundreds of telephone calls was obtained through pretexting, Holston said. Morgan Lewis has uncovered one instance where, in January 2006, a member of the core investigation team, Tony Gentilucci, provided an HP employee’s social security number to SOS.
Pretexting is a polite way of describing a method of hacking somebody’s phone records by opening accounts in their name. In Kawamoto’s case, and the case of HP director Tom Perkins, among others, the attacker used his targets’ SSNs to hoodwink AT&T’s automated billing web site.
In the US, SSNs are considered unique identifiers, and privacy-conscious individuals will never reveal them, for fear of identity theft. SSNs of three reporters, three HP directors and two HP employees were used in the attacks.
While HP obviously has access to its employees’ and directors’ SSNs, neither Holston nor HP has yet revealed how social security numbers of reporters and their families were obtained.
California attorney general Bill Lockyer has said pretexting is illegal, and that he intends to prosecute whoever was responsible. It’s a question of who knew what and when, Lockyer’s spokesperson told us a week ago.
SOS or a subcontractor is thought to be behind the actual pretexting attacks themselves. So far, Lockyer has no evidence implicating Hurd in any criminal activity, it was reported Friday.
The Kona II phase of the investigation also included physical surveillance of one journalist, which was Kawamoto according to CNet reports, and trashing, the act of going through somebody’s trash for incriminating evidence.
Also, HP leaked to Kawamoto a fabricated internal HP document via email, pretending it came from a disgruntled senior HP executive. Within the document was a tracer mechanism designed to send the IP address of the recipient, and anyone it was forward to, to an HP server.
It is likely that this mechanism, rather than being a piece of malicious software, was just a web bug, an embedded image that pings a web server whenever it is displayed on a computer. The use of such bugs is not thought to be illegal. Indeed, they are commonly used in marketing campaigns.
Still, Hurd sought to distance himself from the use of such tracing technology, following reports that he had endorsed the misinformation campaign against Kawamoto.
I was informed by the investigation team that they intended to send an email containing false information in an effort to identify the source of the leaks, he said. I was asked to, and did approve the naming convention that was used in the content of that email. I do not recall seeing nor do I recall approving the use of tracer technology.
While Hurd said he felt very strongly that leaks hurt the company’s reputation and its ability to operate effectively, he also admitted that he did not read the final report of the investigation that led to Keyworth’s outing, even though he could have and should have.
He also admitted that he did not personally get involved with investigating the methods used to smoke out Keyworth until September 8, after news of the pretexting was already public knowledge.
The story first broke almost three weeks ago, after director Tom Perkins, who quit the board in disgust in May, told Newsweek that he quit after finding out his own phone records had been hacked.
In an apparent attempt to publicly show contrition, on September 12 Dunn promised to resign as chair of HP’s board, but not until January. She also intended to keep her seat on the board.
The move was largely seen as not going far enough, and yesterday she stepped down, effectively immediately, from both positions.
I accepted the responsibility to identify the sources of those leaks, but I did not propose the specific methods of the investigation, she said yesterday, in a statement. I was a full subject of the investigation myself and my phone records were examined along with others.
Unfortunately, the people HP relied upon to conduct this type of investigation let me and the company down, Dunn added.
Over the weekend, it was reported in several US newspapers that Hunsaker and Gentilucci are also preparing to leave HP.
