The personal telephone records of two CNET News.com reporters were accessed by a contractor hired by HP to uncover the source of boardroom leaks to the media, according to the California attorney general's office.
The investigation conducted by a company hired by HP used a controversial technique called "pretexting" to obtain the personal phone records of reporters Dawn Kawamoto and Tom Krazit, of ZDNET UK's sister site, CNET News.com, state prosecutors said. Pretexting is a sometimes-illegal method of obtaining personal records through misrepresentation of someone's identity.
Kawamoto and Krazit co-wrote a 23 January article outlining a private, long-term strategy session held by HP's board of directors. The article, which quoted an unnamed source at length, prompted HP chairman Patricia Dunn to authorise an investigation into HP's board to determine the identity of the story's source.
Kawamoto and Krazit were apparently not the only reporters targeted by HP's investigators. The personal phone records of nine journalists, including a reporter from The Wall Street Journal, were accessed, HP spokesman Mike Moeller said late on Thursday afternoon. He declined to comment on the timeframe over which the incidents took place or any of the organisations other than the Journal and CNET News.com.
The Journal reported on its Web site that reporter Pui-Wing Tam was targeted. Among other HP stories, Tam wrote in January 2005 about the board's unhappiness with ex-chief executive Carly Fiorina.
The California attorney general's office on Tuesday first alerted reporters at News.com and possibly elsewhere that their private phone records may have been accessed. On Wednesday night, attorneys for HP supplied to the attorney general's office a partial list of reporters' names whose phone records may have been compromised, a prosecutor said.
On Thursday, an investigator with the attorney general's office contacted Kawamoto and said AT&T confirmed that her records had, indeed, been accessed. Kawamoto said she never authorised her home phone records to be shared with anyone, and she noted her home phone number is under her husband's name, not her own. Krazit was notified later on Thursday that a similar breach had occurred with his mobile phone account.
The attorney general's office said HP's attorney is asking for permission to contact reporters whose records were apparently accessed.
"HP is dismayed that the phone records of journalists were accessed without their knowledge and we are fully co-operating with the attorney general in his investigation," HP's Moeller said.
In a filing on Wednesday with the Securities and Exchange Commission, HP acknowledged that the pretexting technique was used to obtain the personal records of board member Tom Perkins.
The SEC filing also said that in conjunction with the leak investigation, longtime board member George Keyworth will not be nominated to another term on the board. At a board meeting in May, Dunn presented the results of the investigation and revealed that Keyworth was the source of the leaks, which he acknowledged, according to the filing. Keyworth was asked by the board to resign at that meeting but refused, leading to the board's decision.
The filing made no mention of reporters' personal records.
AT&T confirmed to Perkins that someone had used two different Yahoo email addresses to gain entry to his records, according to documents made public on Wednesday. The person who gained access to Perkins' records created an online account with Perkins' telephone number and the last four digits of his Social Security number. It's unclear how they obtained his Social Security number.
Whoever gained access to the records only looked at Perkins' January bill, the month the News.com article that angered Dunn was published. Perkins resigned from the HP board in May to protest the internal investigation and the way it was handled.
"I resigned solely to protest the questionable ethics and the dubious legality of the chairman's methods," Perkins wrote in a letter to the board of directors.
In Kawamoto's case, AT&T said that on 30 January, someone used the last four digits of her husband's Social Security number to establish an online account, and provided the email address red@yahoo.com.
"As was the case with the Perkins account," AT&T general attorney Travis Dodd wrote in an email to the attorney general's office, "the IP address associated with the browser of the person who established the account was 68.99.17.80. As was also the case with the Perkins account, this appears to have been the only date of access to the account."
Details regarding Krazit's phone records were not immediately available.
Given the recent increase in the Federal Government's attempts to discover the identity of confidential sources, it's not all that shocking that corporations would feel "empowered" to try the same kind of techniques, said Christine Tatum, president of the Society of Professional Journalists and a business writer for the Denver Post.
However, "people have to realise that these are not issues that just journalists have to concern themselves with", Tatum said. Pretexting is a very common practice, and it's troubling to think that companies could use these techniques against disgruntled customers or debtors, she said.
CNET News.com's Tom Krazit contributed to this report.
Talkback
Both HP and the phone company deserve a severe reprimand if not prosecution in this instance.
Firstly, doesn't the US have a data protection act (as the UK does) which makes it illegal to impersonate another individual in order to obtain personal information. Are HP's directors being prosecuted?
Secondly, why is the telephone system so insecure that all you need is knowledge of the phone number and part of the social security number to gain online access to the account. This is not secure - look up the person in the phone book, then do a SSN search (as an employer) to get the SSN of that person, then you can access the records.
In this day and age I would expect a minimum of identity checking before the phone company gives out personal data. All the phone company needs to do is ask for the date of the last bill and the amount to ensure the attempted access is at least from someone with sight of the last bill. This is trivial security. By not applying such basic checks before releasing personal information, a UK company would be breaking the law. Is the US so far behind?
I think they dost protest too much.....
Journalists can be pretty cavalier when it comes to privacy of others. Take the recent behaviour of the News of the World reporters bugging the telephones of various members of the Royal Family.
This doesn't make whats happened right of course, just if jounalists spy and bribe to get information they should expect to suffer the same fate.
surely this is illegal on many levels, a global corporation accessing the mobile phone records of unsuspecting individuals, its not even as if they were company issued phones, does this mean that anyone associated with media needs to expect a call from HP from now on telling them that there phone has been watched by them for the pass 9 months? when we take out contracts or talk plans with operators we expect our history to be kept safe and secure, after al thats what the data protection act was for, now how is it, i cant order a new top up card without answering various questions and confirming my dob and address,yet HP can gather all they need without that, or do they have refuse collectors on the payrole as well now, delivering fresh supplies of person information ready for the data vultures and office monkeys at HP, HP once a trusted brand now the symbol of a tarnished brand that will have to do more than perform a few wonders and memory erase's to get any of their much desired reputation back, unless of course their happy with the new one? from what i can gather from various blogs and internet surfing this isnt the first occurance either, how many other companys outthere are doing similar things, we know about sony and the data protection fieasco on their disks, and many other drm cases. will HP and the pedigree office monkeys face any charges for this - i hope so, nothing short of good old slap with a wet fish will do! i apologise if i have confused or bored you in any way, not that i care really, but i didnt force you to read it did i?.....