Social Engineeringmedium

Frank Abagnale and the Modern HP Pretexting Scandal

Hewlett-Packard hired private investigators who used pretexting — calling phone companies while impersonating board members — to obtain the private phone records of journalists and HP board members investigating a corporate leak.

Hewlett-Packard·2006·2 min read

Background

HP's board of directors was investigating leaks of confidential boardroom discussions to journalists in 2005 and 2006. Chairwoman Patricia Dunn authorised an investigation that employed controversial tactics. The phone records of journalists, board members, and their family members were targeted.

The Attack

HP's investigators used pretexting: calling AT&T and other phone carriers while impersonating the account holders to request call records. In some cases they provided the last four digits of Social Security numbers obtained through other means. They obtained private phone records for journalists at CNET, the Wall Street Journal, and the New York Times, as well as for HP board members suspected of leaking. The investigation also involved hiring a private investigator to track a journalist in person.

Response

The scandal broke in September 2006 when board member Tom Perkins resigned in protest and disclosed the investigation to regulators. HP's Chairwoman Patricia Dunn resigned. The California Attorney General filed charges. Congressional hearings were held. Dunn's charges were ultimately dismissed due to illness. Federal legislation against pretexting was strengthened.

Outcome

The HP pretexting scandal was a defining moment in corporate governance and investigative ethics. It demonstrated that social engineering is not just a hacker's tool — corporations routinely employ it against journalists, regulators, and their own board members. The case led to the Telephone Records and Privacy Protection Act of 2006.

Key Takeaways

  1. Pretexting — impersonation to obtain private information — is illegal in most jurisdictions regardless of who employs it
  2. Corporate investigations must have legal review of every technique before deployment
  3. Phone carriers' reliance on shared "secrets" like last four SSN digits for identity verification is fundamentally insecure
  4. Board-level governance of sensitive investigations is essential — chairs cannot authorise illegal surveillance unilaterally
pretextingphone recordscorporate espionagejournalismHP board

More in Social Engineering

2020high

The Twitter Bitcoin Hack

2 min readSocial Engineering
2023critical

MGM Resorts Social Engineering Attack

2 min readSocial Engineering
2022critical

Lapsus$: Teenagers Bribe Telecom Employees to Breach Microsoft, Nvidia, and Uber

2 min readSocial Engineering