Pfizer’s Facebook page hacked – don’t be next!


Pharmaceutical megacorp Pfizer’s Facebook page was defaced a couple of days ago, and then restored.

Responsibility was claimed by a newly-created Twitter account calling itself Script Kiddies. He/she/it urged that Pfizer should be stopped because “they’re corrupt and the damage they create is senseless”.

Intellectually challenging stuff.

Actually, calling this a hack is a bit like saying that you’re going on an overland holiday when all you’re really planning to do is to pop into the pub briefly on your way home. If the screen-grab on The Hawthorne Effect website is to be believed, the hacker – aaargh, I’m doing it again! – did nothing more than guess the password of someone at Pfizer’s PR company who had access to the page.

If you’ve ever worked with, or for, PR companies in recent years, you’ll know that they will urge even their most old-fashioned customers to embrace the social media scene. And many organisations are inclined to trust their PR companies as social media experts (which they may well be), enlisting their help to get into social networking.

But environments such as Twitter and Facebook actually need consistent and continuous tending. With just 140 characters in each Tweet, there isn’t much room for dialogue in the form of a traditional debate. Quantity and fast reaction times are much more useful characteristics in the world of social networking than quality and thoughtful consideration.

In short, it can be useful to outsource your social media interactions to a PR company. After all, initiating, noticing, receiving, sifting and replying to online interactions swiftly is what a modern PR company is supposed to be good at.

But if you do this, you don’t just need to trust your flacks to be creative communicators. You need to trust them to be at least as good at computer security as you are.

Security blunders by PR companies or contractors can quickly become the stuff of legend. In 2009, for example, McAfee was deeply embarrassed by a follow-up email sent to each attendee of its Strategic Security Summit. This erroneously included a spreadsheet with the personal details of all 1500 registrants.

And in 2010 IBM managed to hand out marketing material at a security conference on USB keys which were infected with not one, but two, items of malware.

You need to ensure that your PR company follows security guidelines which are at least as strong as yours.

For example, if you have gateway filtering in place to prevent you emailing out executable files by mistake, you should expect your PR company to have a similar restriction – at least for any users authorised to represent your account. If you have password complexity policies, insist that they follow the same policies.

At the very least, get all the staff at your PR company to watch the video below. After all, you can outsource your corporate communications. But you can’t outsource your accountability!

(Enjoy this video? Check out more on the SophosLabs YouTube channel and subscribe if you like.)