Whistleblower reporting channels - Hewlett-Packard CEO Mark Hurd’s story

Mark Hurd ran Hewlett-Packard for five years and turned the company into a Wall Street favourite. Then, on 6 August 2010, the board announced he was leaving, citing inaccurate expense reports filed during a personal relationship he had not disclosed. The case is remembered as a sex-scandal headline, but the decision that ended his career was structurally about a missing reporting channel. The complaint that brought the matter to HP's chair did not arrive through any internal route. It arrived in the form of a letter from a celebrity lawyer.

Mark Hurd, photographed at an Oracle keynote in September 2010, a month after his HP resignation.
© Oracle PR (CC BY 2.0)

A model résumé and a sudden fall

Hurd had spent twenty-five years at NCR, joining as a junior salesman in 1980 and rising to chief executive in 2003. HP brought him in two years later as the successor to Carly Fiorina, with a brief to clean up after a controversial PC merger and restore investor confidence. He did. Aggressive cost-cutting and a string of acquisitions roughly doubled HP's market value during his tenure, and by mid-2010 he was widely treated as one of the most consequential operators in Silicon Valley.

The fall came without warning. In late June 2010, an attorney representing a former HP marketing contractor sent a letter to HP's then-chair Lawrence Babbio alleging sexual harassment by Hurd. The board referred the letter to outside counsel, opened an investigation, and within six weeks asked for his resignation. The contractor was Jodie Fisher, a former actress hired between 2007 and 2009 to host executive-level events at $5,000 per appearance. The lawyer was Gloria Allred. Neither Fisher nor anyone else had ever filed an internal complaint.

What the investigation actually found

The board's inquiry cleared Hurd of the harassment claim itself. What it did not clear were the expense reports. Investigators found that, on multiple occasions when Hurd had been with Fisher, the company's records showed other people listed as the dinner companion or characterised the meal as a routine business expense. Hurd had not disclosed the personal relationship to the board, and the inaccurate filings had the practical effect of concealing it. That, not the harassment letter, was the breach of HP's standards of business conduct that the directors found unsurvivable.

Hewlett-Packard's Palo Alto headquarters.
© LPS.1 (public domain)

Fisher, for her part, said she had not wanted Hurd fired. She told reporters she was "surprised and saddened" that he lost his job over the affair, and that this had never been her intention. Hurd settled with her privately the day before he stepped down, with no payment from HP. His own departure announcement was understated by the standards of the moment:

I realized there were instances in which I did not live up to the standards and principles of trust, respect and integrity that I have espoused at HP
Mark Hurd, statement on resignation

HP paid him a severance worth roughly $12 million in cash plus restricted stock and retirement benefits whose face value was reported in the mid-thirty-million-dollar range. The size of the package became a flashpoint of its own: a separate corporate-governance debate about how a "for cause" departure could co-exist with a multi-million-dollar exit settlement.

The Oracle exit and HP's lawsuit

One month later, on 6 September 2010, Oracle hired Hurd as co-president alongside Safra Catz. HP responded by suing him, arguing that taking a senior role at a direct competitor would inevitably risk the disclosure of HP's strategic plans. Larry Ellison answered with an open letter calling the suit "vindictive" and accusing the HP board of acting with "utter disregard" for the joint customers and shareholders the two companies shared.

The litigation lasted barely two weeks. Hurd surrendered roughly half of the unvested HP equity he was owed, both companies dropped their public posture, and he started at Oracle. The settlement did exactly what HP could not credibly do during the original investigation: it moved a difficult internal matter out of the press and into a private resolution.

A second act, then an early end

At Oracle, Hurd presided over the sales and services side of the company while Catz ran finance and operations. On 18 September 2014, when Ellison stepped back from day-to-day leadership, the two were promoted to co-CEOs. The five years that followed were the period in which Oracle pivoted from packaged on-premises databases to cloud subscriptions, a transition that by 2019 accounted for more than half of the company's earnings.

In September 2019 Hurd announced he was taking a leave of absence to deal with an undisclosed health issue. He died five weeks later, on 18 October 2019, aged 62; press reporting at the time pointed to cancer. Ellison's public tribute described him as "a brilliant and beloved leader." The HP scandal was, by then, a decade-old footnote in a longer career. The institutional question it raised had not gone anywhere.

Why an internal channel would have changed the arc

The structural detail of the HP case is small and easy to miss. Fisher was a contractor, not an employee, and there was no clear, anonymous, contractor-accessible route inside HP for raising a concern about the chief executive. The first time the board heard anything about the relationship was when an outside lawyer's letter landed in the chair's inbox. By that point the only available response was an expensive external investigation under press scrutiny.

An internal channel with confidentiality and anonymity would not have settled the underlying interpersonal question (that was always going to be Hurd's to explain), but it could plausibly have surfaced the expense-report pattern much earlier, while it was still a finance-team conversation rather than a Wall Street story. That is the difference between a control that catches a problem at its first signal and one that activates only after it has become a public crisis. Compare the route used by David Grusch when he raised UAP-related disclosure concerns: a statutory channel, used as designed, before any of it reached a press conference.

What good reporting channels actually require

Set against the Hurd story, the design requirements for an internal reporting channel become concrete rather than abstract. Confidentiality and a real anonymity option are the load-bearing piece. A contractor will not put their name on a complaint about a sitting CEO, and very few employees will either. A channel that forces identification at the first step is, in practice, a channel for grievances that have already been escalated to a manager and rebuffed: exactly the population least likely to surface early-stage misconduct.

Equally important is independence from the line management of the person being reported on. If the same HR function that runs the executive team's performance review is also the front door for complaints against them, the reader being asked to use it can do the maths. A working channel either reports to an independent committee of the board, or to an external intake provider, or it does not function as a channel at all. The Theranos collapse is the textbook example: Tyler Shultz and Erika Cheung raised concerns inside the company first, were stonewalled, and only became effective whistleblowers after going outside.

The remaining piece is credible non-retaliation, including a follow-up loop that tells the reporter what happened to their complaint. Posting an anti-retaliation policy on an intranet page satisfies a procurement checklist; it does not change behaviour. What changes behaviour is documented investigation outcomes, line managers being held to account when they punish a reporter, and a board-level commitment that retaliation findings reach the directors directly. Where any of those is missing, a hotline is a compliance artefact rather than an active control.

The post-2010 regulatory reset

The institutional response to cases like HP's has been substantial. In the United States, the SEC's whistleblower program (established by Dodd-Frank in 2010, the same year Hurd resigned) has awarded more than $2 billion to 444 individual whistleblowers. The single largest award stands at $279 million; in fiscal year 2024 the SEC paid out more than $255 million across 47 awards. The structure pays a percentage of the recovered sanction, which means an effective tip can be financially life-changing for the reporter and is at least nominally insulated from retaliation through the agency's confidentiality protections.

Court of Justice of the European Union, Kirchberg, Luxembourg.
© Luxofluxo (CC BY-SA 4.0)

Europe's reset is younger and slower. EU Directive 2019/1937 required every member state to enact whistleblower-protection legislation by 17 December 2021; many missed that deadline by years. On 6 March 2025 the Court of Justice imposed lump-sum penalties on five of them: Germany €34 million, the Czech Republic €2.3 million, Hungary €1.75 million, Estonia €500,000 plus €1,500 per day for ongoing non-compliance, and Luxembourg €375,000. Every member state has since transposed the main provisions, though the Commission's own assessment is that none can yet be considered fully compliant. National-law variants, including France's loi Sapin II reforms, set the floor for what a usable internal channel has to look like in organisations above quite modest headcount thresholds.

Sitting alongside the legal floor is a guidance standard, ISO 37002:2021. By design ISO 37002 cannot be certified against; it is a Type B guidance document. Its three pillars (trust, impartiality, protection) are the same ones the EU Directive operationalises and the same ones the Hurd case lacked. Many companies, particularly the third-party intake providers that organisations outsource the front end to, treat it as the de-facto specification.

Read against this backdrop, Mark Hurd's story is no longer just a corporate-governance war story or, as a generation of whistleblower films tend to frame these cases, a moral parable. It is an early data point in a longer transition: from a world in which reporting misconduct against a powerful executive required a celebrity lawyer and a press cycle, to one in which the same disclosure has a regulated route, statutory protection and, in some jurisdictions, a quantifiable financial reward. The infrastructure available to someone in Fisher's position is not perfect, and HP-style cases will keep surfacing. But the asymmetry has shifted, and the next chief executive who hopes that quiet expense-report tampering will simply remain quiet has a much narrower margin than the one Hurd had in 2010.