Last week’s $14.5 million settlement payment by Hewlett-Packard to California’s top prosecutor may have diffused a crisis. But it leaves many question marks about the ethics of big companies, the insecurity of personal information, and the methods used by security investigations. This case, which introduced the word “pretexting” to many vocabularies, demonstrated once again the shocking vulnerability of personal data to social engineering attacks. Too many organizations are willing to disclose sensitive information on the basis of a few, easy-to-obtain facts. But there are no excuses for security investigators to exploit these weaknesses by employing shady practices. We should all close ranks against any companies that think it’s acceptable to use impersonation techniques in the name of security, regardless of their legality. Security professionals should aim for the high ground, not sink to cheap tricks.