back to article HP finance manager went on $5m personal spending spree with company card

A now-former HP finance planning manager pleaded guilty on Wednesday to charges of wire fraud, money laundering, and filing false tax returns that follow from the misappropriation of company funds. According to the US Justice Department, Shelbee Szeto, 30, of Fremont, California, worked at HP Inc from August 2017 through June …

  1. Terry 6 Silver badge

    Weird

    This doesn't sound like your usual case of embezzlement.

    Taking massive amounts of cash to buy tons of shiny, with the inevitable result of jail time, sounds more like there's something seriously wrong with that person, beyond criminality.

    1. Yet Another Anonymous coward Silver badge

      Re: Weird

      If you're at HP and buy something shiny and useless that you couldn't afford - you can always sue the person that sold it to you.

      1. Anonymous Coward
        Anonymous Coward

        Re: Weird

        I thought people at HP sold something shiny and useless that you couldn't afford? For instance, printer ink.

        1. katrinab Silver badge
          Black Helicopters

          Re: Weird

          I think this refers to the purchase of Autonomy.

          1. Fruit and Nutcase Silver badge
            Alert

            Re: Weird

            "You might think that. I couldn't possibly comment"

    2. tmTM

      Re: there's something seriously wrong with that person

      Yea, she's a complete idiot as well.

    3. karlkarl Silver badge

      Re: Weird

      It is strange. Almost like she knew she was going to get caught eventually but just wanted to have a great time in the short term.

      A little bit short sighted but perhaps she thought she wasn't ever going to get another opportunity to do so (and she was probably right!).

      1. Michael Wojcik Silver badge

        Re: Weird

        There's a psychological pathology at work, at any rate. I've seen this in other cases, where people embezzle recklessly, with little or no realistic hope of getting away with it. It seems to be compulsive.

        There was a somewhat similar case where the company treasurer for a Michigan firm embezzled millions for a 419 scam. You might think someone in that position would have to be able to recognize a 419 — it's not like they're sophisticated — but she just kept pumping company funds into it.

      2. Terry 6 Silver badge

        Re: Weird

        That may well be the answer, or part of it. Maybe it was just a matter of getting the excitement or enjoyment for as long as possible. A temporary escape from a dismal life.

    4. Cliffwilliams44 Bronze badge

      Re: Weird

      I've see this many times. At least this one made some effort to conceal her tracks but apparently got a bit greedy with the $330K purchase. I've seen this in Governments. Local Government employees are given PCards and the Finance office is not tracking or requiring expense reports. The employees just start buying stuff for themselves and eventually the money adds up and a change in government brings attention to spending and the employees end up arrested. With the inevitable employee response "I didn't know this was not allowed!"

  2. SW10

    Never embezzle more than your salary

    That’s always been my rule

    1. Yet Another Anonymous coward Silver badge

      Re: Never embezzle more than your salary

      Unless you're in government

      1. Kevin Johnston

        Re: Never embezzle more than your salary

        If you are in Government then it IS your salary...at least that seems to be the way it worked for the last 20-30 years

  3. doublelayer Silver badge

    How did this work

    I understand how she faked documents for HP, and assuming they were done well, HP wouldn't know that her charges were false. However, if I'm understanding correctly, these payments were expected to be paid to a supplier, so how did she avoid the supplier complaining about not being paid? I would have thought that, after every supplier she handled started reporting late or nonpayment, someone would have checked on it if only to prevent angry suppliers. Somehow, this worked for three years.

    1. David 132 Silver badge

      Re: How did this work

      My understanding of the case is that she not only made up suppliers ("Totally-Not-Me, Inc." etc) but she also made up POs and invoices ("Supply of 3 boxes of Totalement Rien(TM), $500,000"). Hence it flew under the radar for longer than it should.

  4. Tromos
    Joke

    5.2 megabucks

    They're gonna need to sell another half pint of printer ink to make up the shortfall.

  5. Doctor Syntax Silver badge

    "doing her best to make amends."

    How? Stealing from someone else to pay it back?

    1. Anonymous Coward
      Anonymous Coward

      They landed her a gig at Canon….

    2. Jon 37

      There's no way she can actually make amends. But she can "try", totally unsuccessfully.

      Trying to make amends is a mitigating factor in sentencing. So the lawyer is doing their best for their client, by publicly claiming this mitigating factor in the hope that their client gets a shorter sentence.

      1. Lazlo Woodbine Silver badge

        One place I worked, the cashier stole about £3k, we took her to court and she was ordered to repay the money - at £1 per week.

        Yep, pay back £3,000 at £1 per week, for 60 years.

        We got one single £1 cheque from the court, which the manager pinned to his wall, we never saw another penny...

    3. Pascal Monett Silver badge

      Well, first on the list is selling all the stuff she bought with stolen money and giving the proceeds back to HP.

      Which will obviously not suffice because the stuff is no longer new, so it'll be sold at a markdown which might be quite important.

      Second is her spending the rest of her life remembering that time she had it all only to squander it and find herself cleaning toilets.

      Because she will never be given a company card again, that's for sure.

      1. msobkow Silver badge

        Given that it was evidence in a fraud case, she no longer has nor owns it to sell.

      2. Doctor Syntax Silver badge

        I don't know about the US but in the UK that should be gathered up under the Proceeds of Crime Act.

    4. Lazlo Woodbine Silver badge

      The jewelry, watches & bags can be sold on at near retail.

      The cars will have depreciated somewhat.

      1. Blank Reg Silver badge

        not necessarily, some used vehicles are selling for more than a new one because the wait for a new one can be many months long

        1. Terry 6 Silver badge

          Second hand car prices are certainly ridiculous at the moment. The old battered 107 that we bought for our daughter about 5 years ago ( pre-dented) was just written off by the insurers after a local moron smashed into it while it was parked outside our house. We retained it, (re MOT'd it) from the insurers and accepted their settlement figure. Which was still higher after they'd deducted the scrap value, than we'd paid for it when we bought it. So; We still have the car, with an extra dent, and received more for its value than we paid. And our daughter is still driving it round uni.

          When she starts work at a well known multinational computer company in the Autumn we'll give her the insurance money to buy a nice new(er) car. By which time she'll have had 6 years of driving use from the old banger.

      2. Anonymous Coward
        Anonymous Coward

        Watches could certainly be sold at more than retail (I just had a valuation for insurance, and my good watch which is nearly 20 years old was valued at nearly 1.5x the cost of a new one....people will pay a premium and get a used watch now rather than sit on a waiting list for years to get a new one)

    5. rmullen0

      Working for a $1 a day for the California prison system putting out forest fires

  6. I Am Spartacus
    Joke

    Oh, and along the way I bought a UK Software company

    Well, it seemed like a good idea at the time

    1. John Brown (no body) Silver badge
      Coffee/keyboard

      Re: Oh, and along the way I bought a UK Software company

      See icon ----------->

      1. tip pc Silver badge

        Re: Oh, and along the way I bought a UK Software company

        But that was the fault of the uk software company that was bought, America will prosecute the seller for fraud.

  7. Winkypop Silver badge
    Devil

    Fake invoices

    Executive “bonuses”

    What’s the difference?

    1. Pascal Monett Silver badge

      Executive bonuses don't land you in jail.

      The shareholders never say much about them either.

  8. 9Rune5
    Paris Hilton

    I blame the toner

    She must have mistaken toner for black cocaine and after snorting half a kilo of it; madness ensued and here we are.

    The real crime here is that toner costs more than cocaine.

  9. TheRealRoland
    WTF?

    Shelbee was carrying around a small dog in a designer purse, wasn't she?

  10. msobkow Silver badge

    I never have understood the fascination some "people" have for useless bling like Gucci bags. I'm much more into "is it functional?" than "is it brand name?"

    But then again, I'm not trying to impress anyone at 57 years old. It isn't like I'm out crusing the bars in a town of 15,000 people, or that designer suits would impress the local hicks. More likely get your sorry butt beaten in an alley for being a snob. :)

    1. GruntyMcPugh

      If I'd embezzled $5M they'd never find my off grid bunker. I'd be self sufficient and be keeping a low profile.

      1. Terry 6 Silver badge

        And might as well be in prison anyway. certainly not living the millionaire lifestyle. It's not pinching the money that's the hardest part, it's spending it without ending up seeing the sun light through a barred window

    2. Michael Wojcik Silver badge

      Bling is functional. Veblen goods provide social signalling and satisfy psychological cravings that some people are susceptible to acquiring under exposure to certain cultural artifacts.

      Those may be functions you don't care about. Good for you; that's one (small) part of acting like a relatively efficient economic agent. It's a quirk of psychology, though. Nothing more.

      I'm not interested in Veblen goods either. Some people — and I'm not saying you're one — regard that as some sort of moral superiority, and I think that's mistaken; it's far more complicated.

      1. msobkow Silver badge

        "Moral superiority?" Hardly. I just can't fathom their fascination with shiny things with brand names. I can't imagine buying something that isn't _perfectly_ suited to my needs just because it is the "in" thing; I'd much rather have the off-brand that does the job just right.

        1. Terry 6 Silver badge

          I'm very much of that opinion. "Street credibility" doesn't of itself equate to real life value.When the kids were little I drove a Berlingo. Think box on wheels, with potential to convert from car to van in minutes. Tons of space for kids' travel cots, toys and what-have-you. Street credibility, style and stuff like that =0%

          Practicality 100%

  11. fg_swe

    German Spelling

    Whenever you hear "sh" in a German word, it will be written "sch".

    Porsche.

  12. FloridaBee

    And I thought my coworker was bad...

    I was rather in shock when I tripped over a coworker's $110,000 embezzlement scheme issuing checks to vendors using their ID numbers and then changing the payee info to her own. She was a piker compared to this one! Still, she got 2 years Federal time, then had the gall to use my name as a professional reference once she got out. I suggested the prospective employer check her criminal background and then lock the doors.

  13. Anonymous Coward
    Anonymous Coward

    Compliance training

    It's so awesome that most/all of our Fortune 500 companies make us take these ethics and compliance training courses and those with real access to company funds are always they ones that pull these stunts - but I'm sure she took the training too.

  14. Flak

    Fiscal governance

    Looks like fiscal governance is not HP's strong point. First Autonomy, now this...

  15. YetAnotherJoeBlow Bronze badge

    Is it just me or does HP have a problem with due diligence ?

  16. Polhotpot

    On the job training

    Sounds like she could have a glittering future in HP’s M&A department, based on her performance.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like

  • OpenSSL 3.0.5 awaits release to fix potential worse-than-Heartbleed flaw
    Though severity up for debate, and limited chips affected, broken tests hold back previous patch from distribution

    Updated The latest version of OpenSSL v3, a widely used open-source library for secure networking using the Transport Layer Security (TLS) protocol, contains a memory corruption vulnerability that imperils x64 systems with Intel's Advanced Vector Extensions 512 (AVX512).

    OpenSSL 3.0.4 was released on June 21 to address a command-injection vulnerability (CVE-2022-2068) that was not fully addressed with a previous patch (CVE-2022-1292).

    But this release itself needs further fixing. OpenSSL 3.0.4 "is susceptible to remote memory corruption which can be triggered trivially by an attacker," according to security researcher Guido Vranken. We're imagining two devices establishing a secure connection between themselves using OpenSSL and this flaw being exploited to run arbitrary malicious code on one of them.

    Continue reading
  • TikTok: Yes, some staff in China can access US data
    We thought you guys were into this whole information hoarding thing

    TikTok, owned by Chinese outfit ByteDance, last month said it was making an effort to minimize the amount of data from US users that gets transferred outside of America, following reports that company engineers in the Middle Kingdom had access to US customer data.

    "100 percent of US user traffic is being routed to Oracle Cloud Infrastructure," TikTok said in a June 17, 2022 post, while acknowledging that customer information still got backed up to its data center in Singapore. The biz promised to delete US users' private data from its own servers and to "fully pivot to Oracle cloud servers located in the US."

    That pivot has not yet been completed. According to a June 30, 2022 letter [PDF] from TikTok CEO Shou Zi Chew, obtained by the New York Times on Friday, some China-based employees with sufficient security clearance can still access data from US TikTok users, including public videos and comments.

    Continue reading
  • More than $100m in cryptocurrency stolen from blockchain biz
    'A humbling and unfortunate reminder' that monsters lurk under bridges

    Blockchain venture Harmony offers bridge services for transferring crypto coins across different blockchains, but something has gone badly wrong.

    The Horizon Ethereum Bridge, one of the firm's ostensibly secure bridges, was compromised on Thursday, resulting in the loss of 85,867 ETH tokens optimistically worth more than $100 million, the organization said via Twitter.

    "Our secure bridges offer cross-chain transfers with Ethereum, Binance and three other chains," the cryptocurrency entity explained on its website. Not so, it seems.

    Continue reading
  • Cisco warns of security holes in its security appliances
    Bugs potentially useful for rogue insiders, admin account hijackers

    Cisco has alerted customers to another four vulnerabilities in its products, including a high-severity flaw in its email and web security appliances. 

    The networking giant has issued a patch for that bug, tracked as CVE-2022-20664. The flaw is present in the web management interface of Cisco's Secure Email and Web Manager and Email Security Appliance in both the virtual and hardware appliances. Some earlier versions of both products, we note, have reached end of life, and so the manufacturer won't release fixes; it instead told customers to migrate to a newer version and dump the old.

    This bug received a 7.7 out of 10 CVSS severity score, and Cisco noted that its security team is not aware of any in-the-wild exploitation, so far. That said, given the speed of reverse engineering, that day is likely to come. 

    Continue reading
  • Tracking cookies found in more than half of G20 government websites
    Sorry, conspiracy theorists, it's more likely sloppy webdev work rather than spying

    We expect a certain amount of cookie-based tracking on retail websites and social networks, but in some countries up to 90 percent of government sites have implemented trackers – and serve them seemingly without user consent. 

    A study by IMDEA, a research facility in Madrid, Spain, evaluated more than 118,000 URLs of 5,500 government websites – think .gov, .gov.uk. .gov.au, .gc.ca, etc. – hosted in the twenty largest global economies (the G20) and discovered a surprising tracking cookie problem, even among countries party to Europe's GDPR and those with their own data privacy regulations.

    On average, the study found, more than half of cookies created on G20 government websites were third-party cookies, meaning they were created by outside entities typically to collect information on the user. While the proportion of cookies issued by third-party trackers ought to be zero on a government web site, some (in Russia for example) had as many as 90 percent of the cookies come from known third-party cookies or trackers.

    Continue reading
  • Google battles bots, puts Workspace admins on alert
    No security alert fatigue here

    Google has added API security tools and Workspace (formerly G-Suite) admin alerts about potentially risky configuration changes such as super admin passwords resets.

    The API capabilities – aptly named "Advanced API Security" – are built on top of Apigee, the API management platform that the web giant bought for $625 million six years ago.

    As API data makes up an increasing amount of internet traffic – Cloudflare says more than 50 percent of all of the traffic it processes is API based, and it's growing twice as fast as traditional web traffic – API security becomes more important to enterprises. Malicious actors can use API calls to bypass network security measures and connect directly to backend systems or launch DDoS attacks.

    Continue reading
  • Google said to be taking steps to keep political campaign emails out of Gmail spam bin
    Just after Big Tech comes under fire for left and right-leaning message filters

    Google has reportedly asked the US Federal Election Commission for its blessing to exempt political campaign solicitations from spam filtering.

    The elections watchdog declined to confirm receiving the supposed Google filing, obtained by Axios, though a spokesperson said the FEC can be expected to publish an advisory opinion upon review if Google made such a submission.

    Google did not immediately respond to a request for comment. If the web giant's alleged plan gets approved, political campaign emails that aren't deemed malicious or illegal will arrive in Gmail users' inboxes with a notice asking recipients to approve continued delivery.

    Continue reading
  • What to do about inherent security flaws in critical infrastructure?
    Industrial systems' security got 99 problems and CVEs are one. Or more

    The latest threat security research into operational technology (OT) and industrial systems identified a bunch of issues — 56 to be exact — that criminals could use to launch cyberattacks against critical infrastructure. 

    But many of them are unfixable, due to insecure protocols and architectural designs. And this highlights a larger security problem with devices that control electric grids and keep clean water flowing through faucets, according to some industrial cybersecurity experts.

    "Industrial control systems have these inherent vulnerabilities," Ron Fabela, CTO of OT cybersecurity firm SynSaber told The Register. "That's just the way they were designed. They don't have patches in the traditional sense like, oh, Windows has a vulnerability, apply this KB."

    Continue reading
  • India extends deadline for compliance with infosec logging rules by 90 days
    Helpfully announced extension on deadline day

    Updated India's Ministry of Electronics and Information Technology (MeitY) and the local Computer Emergency Response Team (CERT-In) have extended the deadline for compliance with the Cyber Security Directions introduced on April 28, which were due to take effect yesterday.

    The Directions require verbose logging of users' activities on VPNs and clouds, reporting of infosec incidents within six hours of detection - even for trivial things like unusual port scanning - exclusive use of Indian network time protocol servers, and many other burdensome requirements. The Directions were purported to improve the security of local organisations, and to give CERT-In information it could use to assess threats to India. Yet the Directions allowed incident reports to be sent by fax – good ol' fax – to CERT-In, which offered no evidence it operates or would build infrastructure capable of ingesting or analyzing the millions of incident reports it would be sent by compliant organizations.

    The Directions were roundly criticized by tech lobby groups that pointed out requirements such as compelling clouds to store logs of customers' activities was futile, since clouds don't log what goes on inside resources rented by their customers. VPN providers quit India and moved their servers offshore, citing the impossibility of storing user logs when their entire business model rests on not logging user activities. VPN operators going offshore means India's government is therefore less able to influence such outfits.

    Continue reading
  • Zero Trust: What does it actually mean – and why would you want it?
    'Narrow and specific access rights after authentication' wasn't catchy enough

    Systems Approach Since publishing our article and video on APIs, I’ve talked with a few people on the API topic, and one aspect that keeps coming up is the importance of security for APIs.

    In particular, I hear the term “zero trust” increasingly being applied to APIs, which led to the idea for this post. At the same time, I’ve also noticed what might be called a zero trust backlash, as it becomes apparent that you can’t wave a zero trust wand and instantly solve all your security concerns.

    Zero trust has been on my radar for almost a decade, as it was part of the environment that enabled network virtualization to take off. We’ve told that story briefly in our SDN book – the rise of microsegmentation as a widespread use-case was arguably the critical step that took network virtualization from a niche technology to the mainstream.

    Continue reading

Biting the hand that feeds IT © 1998–2022