HP's boardroom scandal has cast a new light on the dirty deeds of data traffickers. James Rapp used to be one of them.
Rapp, a self-described data broker, bored deep into people's private lives largely by duping employees at banks, hospitals and phone companies into giving him information, a practice known as "pretexting." Before the federal government forced him to shut down his business in 2000, Rapp spared no one--detectives from the Los Angeles Police Department, Monica Lewinsky, some of the slain victims of the Columbine High School massacre: Rapp snagged information on them all.
"You give me any address, and I could get you every phone number going into that address," said Rapp, who once owned a data-brokerage firm called Dirty Deeds Done Dirt Cheap. "Didn't matter if it was an unlisted number, cell phone, anything...people don't realize how simple it is."
Such a realization is not lost on those targeted by Hewlett-Packard as part of the company's efforts to uncover media leaks. HP, one of Silicon Valley's bellwether companies, has admitted to hiring private investigators who used false pretenses, or pretexting, to obtain phone records of board directors, two employees, nine journalists (including three from CNET News.com) and an undetermined number of others.
Besides attracting national media attention, the HP case has cast light on the shadowy ranks of data brokers who employ pretexting tactics to obtain and sell information. A pretexter is typically someone who misleads employees of a business or organization, such as a bank or hospital, into believing they are a certain individual to trick them into divulging private data. Techies call this kind of deceit "social engineering." The practice is popular, easy to perform and highly profitable, Rapp said. Trafficking in this kind of information generated $1 million a year for his company during the mid-1990s.
"Anyone can impersonate anyone else if they sincerely make an effort," Rapp told the U.S. House of Representatives Oversight and Investigations subcommittee during a hearing on pretexting in June. "The person or customer service representative on the other end of the line truly wants to help, so I use that to my advantage and convince them that they need to give me certain specific data."
The committee will hear new testimony on pretexting this Thursday, when HP executives and the investigators the company hired to do the snooping are expected to appear.
Rapp's history in pretexting offers insight into the methods now popular with hundreds of data brokers around the country. And while Rapp, who declines to say what he's done for a living since leaving data brokering, is not believed to have had anything directly to do with the HP spying, he is closely linked to some of those involved.
Rapp, 47, was once a close business associate of Joe DePante, one of the private investigators reportedly subcontracted by HP's investigators. Sources have also said that the California attorney general's office is trying to learn whether Rapp's nephew, Brian Wagoner of Omaha, as part of the HP investigation.
Neither Wagoner nor DePante could be reached for comment.
Rapp learned his former trade while in prison in Colorado for auto theft. It was there that the then-18-year-old Rapp learned he had a knack for conning customer service people into giving him information, he said. Other inmates would ask him to locate ex-girlfriends or wives who had split while their men were locked up. Working from the prison pay phone, Rapp would call a phone company's 800-number and start lying.
If he needed to find a woman's new address, he would get on the phone with a phone company employee and cite the woman's former address to gain credibility and create confusion.
"The person on the other end of the line would feel either sympathy or pressure," Rapp said in his testimony. "Whatever it took for them to release to me the information that I needed."
The halcyon years for pretexting came in the mid-1990s, according to Rapp. That was when the tabloid press, hungry for dirt on central figures in high-profile crimes or scandals, practically threw money at him. At the same time, Rapp's services were in big demand by companies eager to gain intelligence on competitors. To train employees and to possibly turn his methods into a trade, Rapp wrote a pretext manual.
The manual, which was entered into the record at the subcommittee's hearing in June, includes a chapter called "Non-published address and phone number investigation." In it, Rapp discusses the many sources that may be plundered for data, such as a person's video store, grocery store, newspaper provider or cable company. Another heading reads: "Acquiring the statement without the card number."
"Some of these people are very successful at obtaining information through these means," said Rep. Bart Stupak, a member of the House committee. "We should be very concerned when someone can find the most sensitive information about us. People have to feel secure when they fill out financial and medical records that their information is going to remain private."
Rob Douglas is a security consultant who once hired data collectors like Rapp--that is, until he discovered that they relied on pretexting. Douglas, who has testified numerous times before Congress on data security, said corporations are some of the most voracious consumers of data that can be obtained only via pretexting.
"They wanted the information so badly that they stopped using me when I fired my information broker," Douglas said. "But there were plenty of others who would provide it. I lost half my business."
This raises the question about whether HP's investigation is all that rare in corporate America. Consider that even in the case of HP, the public might never have learned about the company's investigation had former board member Tom Perkins not pressured executives to disclose the truth.
Rapp offers an even more troubling revelation. Pretexting may be impossible to stop.
When it comes to phone companies, he recommends that they issue passwords to customers, which some already do. He also believes that they should refrain from providing information to anyone unless the customer is calling from the phone line or cell phone in question.
When it comes to medical and financial records, Rapp has no suggestions.
Hospitals must provide records in medical emergencies, and that leaves them vulnerable, Rapp said. As for banks, they may safeguard money behind locked vaults, but the information they store is poorly protected.
"Banks have to help their customers," Rapp said. "They have to be open enough to work with you. Say, for example, I called the bank and told them I was waiting for a deposit and needed to check whether it arrived. I'll give them the (routing number found on the bottom of every check, which is public information). They will tell me 'No,' we need your account number.'
"I'll tell them that my accountant handles that, and that's the number he gave me. I'll also tell them I need to know whether that deposit has come in, and it's urgent. Then I'll give them the person's social security number. More times than not, they'll give me the account number. You can't stop that."