by CIO Staff

HP Lawyer Breaks Down Leak Probe

Sep 26, 20064 mins

bucket leaks breach hacked cybersecurity
Credit: Thinkstock

An attorney hired by Hewlett-Packard Co. to investigate the conduct of HP and outside investigators has provided new details of his firm’s investigation of news leaks from the HP board.

Mike Holston, a partner in Morgan, Lewis & Bockius LLP was hired September 8 to conduct an independent investigation of the scandal and reports directly to HP chief executive officer (CEO), and president Mark Hurd.

Morgan Lewis has reviewed some of the approximately 1 million pages of documents it received from HP and outside investigators hired by HP to trace the news leaks. It determined that HP Board Chairman Patricia Dunn authorized two separate investigations: one to probe leaks in 2005 and a second in 2006.

The Morgan Lewis probe found that HP hired in 2005 Security Outsourcing Services (SOS), of Needham, Massachusetts, a private security firm, to probe the first series of leaks. This is the first official confirmation that HP hired that firm, even though it had been identified in several recent news stories. Two months into SOS’s probe, HP’s Global Security division also joined the investigation. The investigation concluded in July 2005 without being able to identify the source of those leaks.

When CNet Networks reported Jan 23, 2006, on the details of a private board meeting, HP launched a second investigation with the help of SOS and HP Global Security.

Dunn, Hurd, HP’s General Counsel Ann Baskins and Jim Fairbaugh, chief of Global Security, approved the second investigation. Dunn and Baskins were kept up to date on the course of the investigation over the next three months, Holston said.

“It is now clear that the investigation included tactics that ranged from the review of HP’s internal e-mails and instant messages, to the physical surveillance of an HP Board member and at least one journalist, to the “pretexting” of telephone call information of board members, HP employees and journalists,” he said, adding that SOS’s legal counsel informed HP that SOS’s investigative techniques were legal.

The investigators presented a draft report to HP in March 2006 identifying the source of the board leaks and detailing some of their investigative methods, including pretexting, which is obtaining access to private phone records under false pretenses.

HP sent a copy of the report to its outside legal counsel and the report was disclosed at a May 18 board meeting. In a separate HP filing Sept. 6 with the U.S. Securities and Exchange Commission, the company disclosed that director George Keyworth was the source. While he acknowledged his role, Keyworth refused to resign at that May board meeting. He eventually resigned Sept. 12.

Holston went on to say that Tony Gentilucci, another member of HP’s Global Security division and a member of the investigative team, turned over the Social Security number of an HP employee to SOS. SOS then turned that and other Social Security numbers over to Action Research Group, another private investigative firm, which used the numbers to help gain unauthorized access to private phone records. This is also the first acknowledgement that Action Research, of Melbourne, Florida, was involved, although it had been identified in news reports.

Disclosing personal employee information is a violation of HP policy, and could result in Mr. Gentilucci’s dismissal, said a source inside the company who declined to be identified.

Holston also disclosed that investigators attempted to send an e-mail to a CNet reporter from a fictitious disgruntled HP employee that contained a hidden attachment, called a “tracer,” that would track who the reporter contacted about the tip so as to identify her sources. HP did not disclose the identity of the reporter Friday, but she was identified in a Sept. 21 Washington Post article as Dawn Kawamoto. But Holston said it could not be determined whether the tracer was ever activated. Hurd acknowledged in his remarks that he approved the fake e-mail scheme but said he did not know it involved use of the tracer.

And although another scheme to send spies into the San Francisco offices of CNet and The Wall Street Journal posing as clerical or janitorial workers was considered, there was no indication it was ever carried out, Holston said.

-Robert Mullins, IDG News Service (San Francisco Bureau)

Keep checking in at our HP Spying Scandal page for more coverage of this unfolding story.

Check out our CIO News Alerts and Tech Informer pages for more updated news coverage.