HP Scandal Shines Light on a Simple, Treacherous Act
Tuesday, September 19, 2006
When Adam Yuzuk had a question about his cellphone bill, a Cingular Wireless agent told him to check his online account.
The only problem: He hadn't established one.
That day in June 2005, Yuzuk, a former president of a New York leather accessories firm, discovered someone had used his Social Security number and a fake e-mail address to set up his online account and view his calling records.
He learned this year, as part of a legal dispute with his former partners in the firm, that they had paid a private investigator to dig up information on him, including $300 for his phone records.
Yuzuk's case was featured at a congressional hearing in June, part of lawmakers' effort to curb pretexting -- the act of impersonating someone to obtain their personal records. The drive has gained fresh momentum with recent revelations that a firm hired by a Hewlett-Packard Co. subcontractor used the technique to obtain phone records of the firm's directors and journalists. A House subcommittee is probing HP's practices.
Federal legislation is pending that would criminalize the use of pretexting to obtain phone records. Some states have passed laws banning it, and states, phone companies and the Federal Trade Commission are suing data brokers who practice it. Despite such efforts, including a 1999 law banning pretexting to obtain financial records, the industry continues to thrive. It is driven by systemic weaknesses in retail, financial and other sectors; lax company security standards; and demand from lawyers, debt collectors, and even law enforcement and tabloid journalists, experts said.
"The simplicity of acquiring information like this is almost sad," said James Rapp, who made $1 million annually using the technique -- which included getting information on JonBenet Ramsey and Monica Lewinsky-- until he was convicted on racketeering charges and put of out business in 1999.
"Companies make a statement that we have privacy, but when it gets right down to it, if you or anybody calls up and asks for information on me, if you ask nice enough, they'll give it," Rapp said.
In June, Yuzuk, his voice trembling in anger, told a congressional panel his story: After he learned in June 2005 that his Cingular account had been hacked, he had a supervisor put a password on it and red-flag it -- moves that would keep his information safe from prying eyes, the supervisor assured him.
"I wanted the highest level of security possible," he told the House Energy and Commerce investigative subcommittee.
Then last April, Yuzuk legally obtained documents revealing that a former partner, Steve Kahn, had hired Michele Gambino of Gambino Information Services Inc. to retrieve his cellphone records.
Gambino Information Services, whose Web site notes the firm can conduct "informative telephone" conversations to "obtain various types of information," prepared a file for Kahn that included four months of phone bill detail, with two sets of records printed in September and October.