, SecurityFocus 2006-09-22
Technology giant Hewlett-Packard's CEO Mark Hurd announced on Friday that he would replace the board's chair Patricia Dunn immediately and apologized for the extent of the spying that took place in the chairwoman's investigation of a media leak on the board of directors.
Dunn will no longer continue as a member of the board and Hurd denied any knowledge of the improprieties of the investigation. However, the HP chief did say that an investigation by an outside law firm over the last few weeks has revealed that inappropriate steps were taken during the board investigation.
"I will say that some of the findings that Morgan Lewis has uncovered are very disturbing to me," Hurd said during a press conference on Friday. "On behalf of HP I extend my sincere apologies to those journalists who were investigated and everyone who was impacted. HP has a distinguished history of conducting business with uncompromising integrity. We believe that these were isolated instances of impropriety and not indicative of how we conduct business at HP."
The company also appointed Bart M. Schwartz, a former federal prosecutor, as corporate counsel to perform an independent review of methods used during the investigation. Schwartz is a founding partner of the fact-finding firm Nardello Schwartz & Co. The former prosecutor is expected to make future recommendations for implementing best practices, and will report to Hurd and to Bob Wayman, HP's chief financial officer.
Hewlett-Packard took the latest steps as federal and state prosecutors as well as Congress continued to investigate the technology giant's handling of a leak on its board. In January 2006, a CNET News.com article outlined the future strategy of the company using information that appeared to come from a board member. The chairwoman, Patricia Dunn, became determined to root out the leak and restarted an investigation that had previously looked into the source of illicit leaking of board information.
The investigation, however, resulted in the unauthorized use of AT&T's computer systems by third-party investigators to gain access to the phone records of seven board members, nine reporters, and two HP employees, according to the results revealed at Friday's press conference. While such techniques fall under the broad category of deception to gain information, or "pretexting," computer crime statutes clearly define the activity as unauthorized access, or "hacking." The investigators also tailed several directors and reporters and sent forged documents to one reporter that would phone home the Internet address of anyone to whom the reporter forwarded the document.
The controversy over the techniques used by the third-party investigators to try and identify the source of the leak has left HP scrambling. Both Patricia Dunn and Mark Hurd will testify in front of the U.S. House of Representatives' Energy and Commerce Committee, Subcommittee on Oversight and Investigations at a hearing on Sept. 28.
Earlier this month, the company announced that Dunn would step down in January from her position as chairwoman, but remain on the board. Dunn and HP announced on Friday that the chairwoman had stepped down at the request of the board. Dunn maintained that her worst offense was to rely on the wrong people.
"Unfortunately, the people HP relied upon to conduct this type of investigation let me and the company down," Dunn said in the statement announcing her resignation. "I continue to have the best interests of HP at heart and thus I have accepted the boards request to resign."
HP's recently retained outside counsel, Michael J. Holston of Morgan Lewis, outlined the preliminary findings of his investigations. Holston is in the white-collar criminal defense and corporate investigations practice of the law firm. Neither Hurd nor Holston took questions at the end of the press conference.
Holston said that, while his investigation indicated that HP executives had known of the pretexting, that the third-party investigators had maintained that the technique was legal. Moreover, HP employees did not know that false online accounts would be opened to get access to the information, Holston said.
"We have seen no evidence that any employee authorized or had knowledge of any use of online accounts being created or used to obtain telephone call information," he said.