HP held an emergency meeting of its board of directors, but failed to come to an agreement. Following the meeting it was still not clear whether Dunn gets to keep her job.
The HP board of directors met for several hours Sunday morning. It has agreed to reconvene late Monday afternoon. No further statement will be forthcoming from the company before that time, HP said in a statement.
It is also not yet clear if any HP employee will be charged criminally over acts that California attorney general Bill Lockyer has already said he believes were illegal.
Dunn did the rounds of major news outlets late last week, apologizing to at least nine reporters from Business Week, The Wall Street Journal, The New York Times and CNet News.com, all of whom had their telephone records hacked as HP investigated board-level leaks.
The news that reporters and their families were targeted in the attacks added to the growing controversy, which emerged late Tuesday when Newsweek reported that a Dunn-instigated leak probe had seen HP directors’ telephone records compromised.
HP admitted on Wednesday, in a Securities and Exchange Commission filing, that an unnamed third party indirectly on the company’s payroll had used a technique known as pretexting to obtain phone records, in a successful attempt to track down the leak.
Pretexting is a polite name for a kind of identity theft hack where the attacker pretends to be somebody else in order to acquire their confidential information – in this case the victims’ phone bills, with records of which numbers they called.
On Thursday, it emerged that Dawn Kawamoto, Steven Shankland and Tom Krazit, all reporters from CNet, had been attacked using pretexting. Kawamoto’s husband and Shankland’s father were also targeted, CNet reported.
BusinessWeek then reported that three of its reporters, Peter Burrows, Ben Elgin and Roger Crockett, were victims. The Wall Street Journal said that reporters Pui-Wing Tam and George Anders were also affected by the attack. The New York Times said its John Markoff was targeted.
All these reporters cover HP, and were believed by the company to be the recipients of internal leaks, due to anonymous quotes used in their stories.
A pretexting attack in January, against HP directors and CNet’s Kawamoto and Krazit, possibly among others, uncovered director George Keyworth as the source of a leak. Keyworth refused to resign, but HP has not nominated him for re-election.
Information about the attacks came to light as a result of the resignation of Tom Perkins, an HP director who quit in May after he found out about the methods used in the leak probe.
Perkins questioned the legality of the pretexting attacks, and later said HP was not being forthcoming enough with its investors, by not revealing the reason he resigned as required by law.
While the SEC has not been forthcoming on possible investigations into that matter, other law enforcement agencies are investigating the attacks.
US federal law on pretexting is somewhat vague. The Gramm-Leach-Bliley Act outlaws pretexting when used to obtain records from financial institutions, which does not seem to apply here.
Staff of the Federal Trade Commission are on record saying they believe pretexting violates Section 5 of the Federal Trade Commission Act, which deals with deceptive business practices.
In California, where HP and several victims are based, it is believed to be more clear-cut. California attorney general Lockyer told the San Francisco Chronicle on Thursday: In this case, clearly a crime has been committed… The question is by whom. How far does the liability extend?
The question basically is, Who knew what when?
Discovering who carried out the pretexting attacks could be fairly straightforward. The IP address of at least one attacker was logged by AT&T and is now a matter of the public record. Assuming the attacker did not redirect or mask his IP address, his identity could be subpoenaed from his ISP.
What is less clear is who at HP, if anybody, knew what tactics were being used.
According to the HP’s Wednesday SEC filing, Dunn and ultimately an internal group within HP, working with a licensed outside firm specializing in investigations conducted the investigation that uncovered Keyworth as the leaker.
HP had engaged an outside consulting firm with substantial experience in conducting internal investigations and that this firm had retained another party to obtain phone information concerning certain calls between HP directors and individuals outside of HP, the HP filing says.
Dunn told the Associated Press on Friday that the use of pretexting was absolutely appalling and embarrassing, and said the board had no idea such tactics had been used.
HP’s SEC filing says that Dunn and HP had instructed the outside consulting firm to conduct its investigation in accordance with applicable law and that the outside consulting firm and its counsel had confirmed to HP that its techniques were legal.
So far, many media commentators are not buying it — saying that even if such techniques turn out to be technically legal, they are a far cry from ethical. For example, a CNNMoney columnist wondered on Friday if Dunn is lying… or incompetent.
The question obviously arises that if the HP employees involved in the investigation did not know pretexting attacks were being used, how on earth did they think these phone records were being obtained? Or did they not even ask?
Either way, Dunn has emerged as the driving force behind the probes and has assumed the position as HP’s most likely fall guy. She addressed the matter in an interview with the AP last week.
I serve at the pleasure of the board, Dunn reported said, as reports surfaced that the board was planning an emergency meeting for the weekend.
I totally trust their judgment, she added, without apparent irony. If they think it would be better for me to step aside, I would do that.
