(09-07) 11:18 PDT -- California Attorney General Bill Lockyer said today that a crime was committed when private investigators hired by Palo Alto tech giant Hewlett-Packard surreptitiously obtained the personal phone records of board members.

"In this case, clearly a crime has been committed," he said in an interview. "The question is by whom. How far does the liability extend?"

The legality of the HP investigators' actions has been murky since news of the corporate spying came to light this week.

HP said in a regulatory filing Wednesday that "some form of 'pretexting' for phone record information" had been used to determine which board member had been leaking information to reporters.

Pretexting involves persuading your target that you're someone who you're not. This can be relatively benign, such as impersonating a survey taker. Or it can be more insidious.

HP's investigators are believed to have obtained at least the last four digits of board members' Social Security numbers -- a feat that security pros say isn't all that tough if you know where to look.

An investigator then allegedly contacted AT&T and, posing as a specific board member, convinced the phone company to send him that person's confidential phone records.

All this took, apparently, was knowledge of the board member's Social Security number and phone number, and a smooth delivery.

"Most private investigators do this quite a bit," said Scott Newby, an investigator with offices in San Jose and Merced.

Lockyer said today that the law appears to have been violated twice in the HP case.

First, he said a crime -- identity theft -- was committed when the investigators pretended to be the company's board members. Second, he said a crime was committed when the investigators gained access to AT&T's phone records.

"You've falsely impersonated someone else's identity to illegally get computer records," Lockyer said.

"Do I think a crime has been committed? Yes," he said. "But we have to prove who did it."

Lockyer said he's now focusing on whether HP's chairwoman, Patricia Dunn, is a party to the crime. The company's regulatory filing says she ordered the probe into the press leaks.

"At the very least, there's a potential conspiracy case," Lockyer said.

He said it's "likely" that criminal chargers will be filed in the case, but he said he still needs to investigate the matter further.

E-mail David Lazarus at dlazarus@sfchronicle.com.

Have we reached the point where stolen laptops and missing consumer data have become so commonplace, they're no longer news? It's starting to seem that way.

But that doesn't diminish the seriousness of the problem -- or the profound impact such incidents can have on people in terms of the threat of fraud and identity theft.

The latest installment in this long-running drama involves Wells Fargo, which has now experienced at least six significant security breaches in less than three years.

The latest, which the San Francisco bank disclosed in letters dated Aug. 28 to employees, involves the theft of a computer and data disk from the trunk of a car belonging to an outside auditor.

According to Wells, the disk contains the names and Social Security numbers of an undisclosed number of bank workers, as well as information about prescription drug claims made through the company's health plan last year.

Wells isn't saying where or when the theft took place. It says only that the bank has "no indication that the information has been accessed or misused." Employees are being offered one-year subscriptions to a credit-monitoring service.

"The auditor had this information because we are required by the Internal Revenue Service to have our health plans audited by independent, qualified public accountants," said Julia Tunis, a Wells spokeswoman. "The auditor is no longer auditing any of our plans."

She said the auditor "contacted law enforcement when it learned of the situation, and both the authorities and Wells Fargo corporate security are investigating."

The incident is a virtual rerun of a security breach disclosed last month by San Ramon oil giant Chevron. In an e-mail to U.S. workers, the company said a laptop "was stolen from an employee of an independent public accounting firm who was auditing our employee savings, health and disability plans."

A Chevron spokesman said the missing data include names, Social Security numbers and other sensitive data.

A key vulnerability

Beth Givens, director of the Privacy Rights Clearinghouse, a San Diego advocacy group, said it's become clear that corporate third parties -- and especially auditing firms -- represent a key vulnerability when it comes to keeping customer data under wraps.

"In the old days, auditors would come in and practically live in your office for a week or two," she observed. "Now they take the work home."

While many companies have experienced security breaches in recent years, Wells has had an especially rough run of bad luck.

In May, the company alerted mortgage customers that their name, address, Social Security number and account number were stored on a computer that disappeared while being transported by "a global express shipping company" from one Wells Fargo office to another.

It didn't say how many of the bank's 23 million customers were affected. (Bank insiders have since told me the shipping company in question was DHL.)

Prior to that, about 700,000 people had their personal data jeopardized due to a string of security breaches affecting Wells Fargo, according to the office of the comptroller of the currency, which regulates federally chartered banks.

These incidents include an October 2004 theft of four computers from the office of a bank affiliate, a March 2004 computer theft from a bank office, a February 2004 computer theft from a rental car driven by two bank employees, and a November 2003 computer theft from the Bay Area office of a bank consultant.

In an e-mail to workers Tuesday, Avid Modjtabai, Wells' director of human resources, said the bank isn't saying more about the latest incident "because doing so may jeopardize the investigation."

Return to sender: Then there's the matter of Alameda resident David Cassel, who exited a job at a Bay Area tech company in June 2005 and then, a few months later, received a check for $262 from Wells Fargo, which administers the tech company's 401(k) plan.

"I assumed they were sending me some sort of end-of-the-year profit sharing," Cassel said.

He deposited the check in his bank account (BofA, not Wells) and that was that. And then a whole year went by.

That wasn't the end

And then, just the other day, Cassel received a letter from Wells Fargo saying that the $262 had been sent to him in error and that the bank wants its money back. That raised an interesting question (several actually).

"Do I have to give it back?" Cassel wanted to know. "Even if it's their mistake? Isn't there a statute of limitations or something?"

The answers: Yes, yes and, surprisingly, yes.

"If he was truly paid in error, he needs to pay it back," said Fred Keeperman, a Moraga attorney who specializes in debt collection.

But there is a statute of limitations on this sort of thing, he said, and in most cases that's four years. So Wells Fargo is still within its rights in demanding the money back 12 months later.

The bank agrees.

"If the assets of a plan are distributed incorrectly, for whatever reason, fiduciaries have an obligation under federal law to try to collect those assets and have them returned to the plan," said Susan Stanley, a Wells spokeswoman.

But wait, as they say, there's more:

Cassel has just received another letter from Wells, this time stating that "not all (retirement plan) participants who received a letter should have received a letter." After further review, the bank has decided that Cassel doesn't have to send the money back after all.

"Wells Fargo Retirement Solutions is truly sorry for any inconvenience the earlier letter may have caused," the bank said.

That's OK. Nobody's perfect.

David Lazarus' column appears Wednesdays, Fridays and Sundays. Send tips or feedback to dlazarus@sfchronicle.com.