HP CEO: Board Leak Was the Crime
There were no findings in Kona I, so it was suspended in late July, without HP ever discovering who was leaking sensitive information, and who was being leaked to. Holston did not speak about any of the techniques S.O.S. may have used during the Kona I phase.
With the publication of a story by CNET that appeared to contain information that may have been leaked from the HP board, the executive team resurrected the investigation in January 2006, code-naming the phase “Kona II.” Ron DeLia resumed his role as lead investigator, being in charge of S.O.S. CEO Hurd, chairwoman Dunn, HP General Counsel Ann Baskins, and HP head of global security Jim Fairbough were all “made aware” of the existence of Kona II, said Holston, with regular reports being provided to Dunn and, “to a lesser extent,” Baskins.
Over the course of Kona II, Holston remarked, “certain members of the investigation team provided assurances that the techniques being used in the investigation were legal.”
This time, S.O.S. found a source of the leak. In a March 2006 report, S.O.S. stated its findings, which included an explanation of “pretexting” – one of the techniques it used to obtain phone call records by agents improperly identifying themselves to the phone company. The explanation stated, according to Holston, that this technique was legal.
As Mark Hurd stated earlier in the session, with an obvious note of embarrassment, although reports were prepared for him about the status and progress of investigations, he did not read them.
Kona II stopped work on May 18, and HP ethics director Mark Huntsaker produced a final report on May 24. There’s no evidence of any investigation proceedings after that time, Holston said.
The techniques used in Kona II boil down to four categories: “Information regarding hundreds of telephone calls was obtained through pretexting,” stated Holston. “At this point in our investigation, there is evidence that S.O.S. directly or indirectly obtained telephone or facsimile call information through pretexting for two current HP employees, seven former or current HP board members or their family members, and nine journalists or their family members. I want to stress that, to the best of our knowledge, this activity was conducted by an outside investigator. As a result, it has been difficult for us to obtain all of the relevant documentation so far.”
The second technique involves the use of Social Security numbers to obtain phone call information, also through pretexting. In at least one instance to Morgan Lewis’ knowledge, an HP employee provided the Social Security number of another HP employee to an S.O.S. investigator. It was apparently done with full knowledge that it would be used to obtain phone call data, said Holston. Neither HP employee was identified.
In all, S.O.S. obtained the SSNs of at least three journalists, three HP board members, and one HP employee. None were identified, nor did Holston explain how those other SSNs were obtained.
Third comes the now-infamous tracer, which Holston explained was not a keylogger. He likened it instead to the type of utility that a Web page uses to acquire the IP address of the user reading it. In January 2006, HP officials involved with the investigation -– Holston did not name them -– devised a scheme involving the creation of a fictitious high-level executive, who would send e-mails to the suspect reporter about a fictitious company operation.
Holston did not explain this operation, although its details were reported in the Washington Post. Investigators hoped the tracer would bounce around through every address to whom the fake message was forwarded, eventually informing HP of its eventual destination, and giving hints of the path it took to get there.
Surprisingly, Holston revealed, this plan didn’t actually work “At this stage, the evidence suggests the investigation team never received any confirmation that the tracer was activated, even though it received e-mail messages from the journalist,” Holston said.
He then added, “The concept of sending the misinformation to the reporter and the content of the misinformation to be contained in the message of the e-mail was approved by Mark Hurd. We have found no evidence that he was asked to approve the use of the tracer.”
Fourth, S.O.S. also conducted physical surveillance, which included spying on a board member during a keynote speech he made in Boulder, Colorado. The S.O.S. team also spied on his family in California while he was making the speech. It also spied on a journalist, though Holston did not say whether this was the same journalist who was the target of the fake e-mail.
A separate security firm was additionally employed to go through people’s trash, though Holston did not identify the firm, the nature of what they were looking for in the trash, nor whose trash they were rummaging through.
“At this point in Morgan Lewis’ investigation, we have seen no evidence that any employee authorized or had knowledge of any use of online accounts being created or use to obtain telephone call information,” concluded Holston.
"We have not seen evidence that any wiretapping of any telephones occurred. We have not seen evidence that any computer keystrokes were tracked. And while a PowerPoint presentation discussing potential investigative techniques suggested studying the feasibility of undercover operations at the San Francisco offices of The Wall Street Journal and CNET, we do not have any information to support the contention that any such operations actually occurred."
Hurd and Holston both declined to answer reporters’ questions, pending a hearing before Congress later this month.