Below is an extract from Independent on Sunday deputy editor James Hanning's new book, The News Machine: Hacking, The Untold Story.
Here, phone-hacker Glenn Mulcaire (pictured, Reuters), who worked on the book with Hanning but recieved no payment, explains how he "blagged" hospital records and a phone user's "friends and family" lost.
Judging solely by the stories in the papers, it is easy to write off Mulcaire as a mere "chancer" who learned a few tricks and got over-promoted as a result. But his accomplishment at inveigling himself into people’s trust made him an ideal candidate to bring in news stories, to help feed a news machine rather than being just any old cog. Certainly he is extremely adept at what might candidly be called dishonesty.
For professional ends, a number of techniques would continually re-present themselves as useful. One was to call an office and get the call rerouted so it looked to the ultimate recipient as if it was internal. Similarly, once that was achieved and the person believed they were talking to a colleague in another department, he would seek to make them believe he was reading the same internal computer file as the person he was talking to.
He says Vodafone were the easiest, with BT being a bit harder. "If they think you’re reading it ahead of them, you need no more confirmation than that," he says. "Then you say the screen has frozen, and can you check something. If they say ‘I’ll call you back’, you’ve had it. You need it there and then. It’s smash and grab, but you need to be very gentle. You have to execute the plan with confidence, but you’ll only get one chance."
Two stories illustrate his capacity for building trust and then exploiting it. They rest on a metaphor of opening a door, putting a wedge under it and then returning later to gain entry. The first relies on one of the participants being a smoker and requires an ability to react quickly to unforeseen developments, but the gist is clear. Asked by the office to establish if a hospital patient has a particular ailment, Mulcaire would take a "white coat approach".
"You have to look as if you belong wherever you go," he says. "You never inch into a situation because then you stand out as not belonging." One trick is to go out of hospital doors outside which people are smoking, muttering "I’ll have a quick one before I go in". Then, he says, note the name on the badge of one of the doctors, turn and go back in. The next day you check BMA records (then obtainable using a suitable pretext), then ring and check if someone is able to obtain the hospital number that identifies a particular patient (ditto).
"Then, one day when you know that doctor is off, you breeze in with his name badge, taking big files which look like case notes,… wait near reception, making marks on the files… wait till the receptionist goes for a cigarette and follow her out. If she happens to know the person (which he says happens very infrequently), he’d say ‘I’m not him, we have the same name, but I’m the new, improved one’. Made contact, cheap joke, and then say ‘I must be getting back.’"
Then, back in Mulcaire’s office, with a CD playing the low chatter of background office noise, he would ring the receptionist.
M: "Hi, my name’s [false name]. I expect you’re frantic."
Receptionist: "Yes but how can I help?"
M pretends to recognise the voice, reminding her that they had met during a cigarette break. He would then reiterate that he didn’t want to be a nuisance and needed to be quick.
M: "My PAS system has frozen and I urgently need some details on a patient…" Mulcaire gives the details, she finds them.
M: "What medical number comes up?" She gives it.
M: "And which consultant is dealing with her?… I thought it would be him, let me give him a quick call while you’re on." He pretends to dial.
"Hi, Dr X. You’re about to go into theatre? Oh, I’m sorry, but, just quickly, could you wire over some records of one of your patients. Actually it would be easier to get them verbally from the front desk. I’m onto them at the moment."
Receptionist: "Yes I heard all that. Ok I’ll read what it says." She reads out details, brief episode details, diagnosis and prognosis.
M: "Thanks very much."
Then, to check, he pretends to be the consultant and rings the hospital back, establishing his bona fides by giving the patient’s medical number and few details. He says he’ll be transferring notes over to them.
M: "Oh, one other thing, what prescriptions is she on?"
If the answer is consistent with the presumed illness, he has confirmed the story.
Another "blag" that Mulcaire cites as being fairly "bog-standard" is the method of getting details of a phone subscriber’s "Friends and Family" list on their phone account. "Back in 2002 – until journalists started doing it, when they tightened it up – it was comparatively easy. Once you’ve got the land line, you could get Friends and Family, though not everyone registered them. You’d ring BT posing as the subscriber, and make two calls. The first would ask when the next bill is.
M: "Do you know how much it is, we’re panicking."
Call centre: "Oh, it’s about £300. Ok, thanks, bye."
Then you ring later, a second time, again as the subscriber.
M: "Is it ok to pay by cheque, not direct debit?"
Call centre: "Yes, that’s fine thanks very much…"
M: "One other thing, can I add another number to my friends and family?"
Call centre: "Sorry, you’re full at the moment."
M: "Really, oh dear, what have I got at the
Call centre: "You’ve got X, X…."
The News Machine: Hacking, The Untold Story is published in the UK and Ireland by Gibson Square costing £12.99 paperback original and also as an e-book.