Thursday, July 21, 2011

Four Useful Lessons Pharma Can Learn from the Pfizer Facebook Hack

By now, you've probably heard that Pfizer's US corporate Facebook page was "hacked" by some "Kiddies" (see "Pfizer, If You Are So Smart, How Come You Were Hacked By 'Kiddies'?"). For several hours, the page was reconfigured to display messages and images from the hackers, including "**ATTENTION** Pfizer must be stopped. They're corrupt and the damage they create is senseless. Carelessness! Putting a scare on these blokes who deserve one...".

[The hackers may have targeted Pfizer because of its Nigerian litigation case. See "WikiLeaks: Pfizer Hired Investigators to Smear Nigerian Prosecutor in Press"]

Pfizer's FB page is now restored to its original state of corporate banality (see here). A message from Pfizer on the wall states:
"As you might have noticed, our Page was compromised last night. We have been working with Facebook to understand what happened so we can guard against it in the future. Thank you for your patience while our page has been down, and we are pleased to be sharing our news with you once more."
Several interactive agency experts who no doubt have Pfizer as a client are trying to focus the blame on Facebook. Bruce Grant, senior VP, business strategy, at Digitas Health, is on the record, quoted in MedAd Blog (see "Lessons from Pfizer Facebook hack").

According to MedAd, Grant "points out that the The Script Kiddies [the hackers] did not have a reasoned grievance against Pfizer [huh? see above], but were just repeating things they had found in the media. Pfizer was a 'villain of opportunity,' he says, and the hack was not something that Pfizer could have prevented, since the security issues were all on Facebook’s end."

Some biased observers (ie, consultants who currently work for Pfizer or may wish to work for Pfizer in the future) are reluctant to blame Pfizer and tend to shift the blame to Facebook. As I mentioned in yesterday's post, I believe Pfizer is to blame, not Facebook. As the hackers themselves said, it was easy for them to guess Pfizer's Facebook password.

What are the lessons should Pfizer and other pharma companies learn from this?

Grant suggests that when using social media, pharma companies must "control the conversation." He said: "Our advice is you don’t have a choice as to whether you have a page – your choice is whether you want to maintain appropriate control over the conversation."

I'm all in favor of having control over the conversation, but what exactly does that mean? It probably means different things to different pharma companies, which should have explicit policies in place defining what they mean by "appropriate" comments from users and what "controls" they have in place. To moderate or not to moderate, that is the question. For more on that, see "Moderation of Pharma Social Media Discussions" and links therein.

But, what are some USEFUL lessons Pfizer and other pharma companies should learn from this?

I had an interesting discussion relating to this during last night's #socpharm Twitter chat session (find the transcript here).
LESSON #1: Obviously, this first lesson is to IMPROVE your security measures. Contrary to the opinions expressed by observers such as Grant, Pfizer's security problems had nothing specifically to do with Facebook or social media. Pfizer used a WEAK password. The hackers said as much: "Hint for next time: protect the company with a LITTLE better security. One Google search and I'm in." I only hope that Pfizer uses robust passwords to gain access to its clinical trial data!
LESSON #2: Don't have technically naive people, such as corporate communications people, in charge of your social media campaigns. Pfizer even claims it has no FTEs devoted to social media (see my interview with Pixels & Pills' Sarah McLellan, here). This is a BIG mistake. When Pfizer first started its @pfizer_news twitter account, it was so unprofessional that many people thought it was a fake account. Because no one was monitoring Twitter full time for them, the conversation on Twitter proceeded without them as Ray Kerins, Pfizer's head of corporate communications, was in court fighting a traffic ticket!
BTW, Pfizer employs WeissComm Partners (WG) to manage its social media campaigns, including its Facebook page. In fact, the hackers identify Paul Dyer, who oversees the WCG social media team in North America, as the "guy in charge of this Facebook." Word is the hackers found hints to Pfizer's FB password in Dyer's LinkedIn profile (here). There, you will find that Dyer is a "Soccer player for life." Perhaps the secret password was "soccer"? Dyer's previous clients (at another agency) included Coors Light, New Balance, Hansen's Natural Soda, and PURE Bar.
LESSON #3: Don't outsource your social media projects to agencies that are even less technically savvy than you are. Take the case of Edelman creating a Facebook page for AstraZeneca (see "AstraZeneca Hosts 'Take on Depression' Facebook Discussion - Seroquel Lurks Behind the Scenes"). I was able to use Google Earth, WHOIS, etc. to discover personal information about the consultant hired by Edelman (hired by AZ) to program the discussion app on that page. If I were a hacker, the next step would have been to try and guess his password. Instead, I wrote about it and informed him of his security lapses. As a result, AstraZeneca was able to fix the problem before it became a problem.
LESSON #4: Don't blame others for your mistakes. We all are witnessing Ruppert Murdock blame his "trusted" underlings for the phone-hacking scandal in England. Similarly, we are hearing industry consultants blame Facebook for Pfizer's hack. The blame is even being extended to social media in general. @SpitzStrategy (VP, Digital Strategy at Ignite Health), for example, said "#pharma has to get used to things "going wrong" wtih SM -- that's its nature -- controlled chaos like all human communication" during last night's #scopharm chat (see here). This sends a message to other pharma companies that "shit happens" when you get involved with social media and it's OUT OF YOUR CONTROL. To which I say BULLSHIT! That is NOT the proper message to be sending to pharma. Own up to your mistakes and fix them. More importantly, don't tell us that you are working with Facebook to discover what happened and then share unspecific "lessons learned" with others.
To properly learn from these social media faux pas, pharma companies must first correctly assign blame. Let's see who Pfizer blames.

[This post originally appeared in Pharma Marketing Blog
Make sure you are reading the source to get the latest comments.]

6 comments:

  1. On Lesson #1 above, I think you misunderstand how most Facebook pages are managed. Pages are created through personal facebook accounts, then admins are assigned to that page through their personal Facebook account.

    So it is possible that the Pfizer account had multiple admins, each with their own passwords.

    It's likely that Script Kiddies found someone who was a socmedia consultant, hacked into that guy's account, then went to the Pfizer page and started posting their nonsense.

    That is probably why they outed that consultant through the hacked account.

    Lesson 1 still applies, but it's more complex. Force anyone who has admin control over your socmedia accounts to have strong security measures OR create ghost accounts for the organization to enter and ensure the security on that account.

    ReplyDelete
  2. Phil,

    Thanks for the clarification.

    ReplyDelete
  3. On Lesson #4 above, I think you take my tweet out of context, John. Never once did I "blame" Facebook or Pfizer for the hack. Nor did I ever allege that social media (or our utilization of it as healthcare communications specialists) is "out of control".

    So allow me to point out for a moment, now that I have more than 140 characters, that everything I do and my agency does within the space is, first and foremost, engineered to protect pharma from harm and mitigate risk. Not only do we have an entire clinical strategy department dedicated to the ongoing challenge, but as you know our daily, often hourly scouring of the boards keeps us on the pulse of everything that's going on regarding the complex regulatory and technological environment we call home. We take personal responsibility for this, and take great pride in what we accomplish.

    But the proof is in the pudding: Never once have we created or been involved with any social media asset that's been cited as non-compliant, including Facebook pages, blog networks, and even fully functional social media platforms.

    That all said, also please allow me to address the sentiment behind the tweet itself, which dovetailed off of and echoed LiveWorld's @jaysbryant observations about "manageable risks," namely: Digital communications in general, and social media in particular are, by their very nature, dynamic, vulnerable, and therefore impossible to COMPLETELY control.

    Let me be clear and repeat that we weren't alleging social media is "out of control" -- We were simply pointing out that hacking (akin to viruses, system crashes, power outages, worms, etc.) come with the digital territory. So to your point, yes indeed "shit happens" in digital -- has in the past, does so now, and will continue to do so as a 100% fail safe system has been logically proven by Kurt Godel to be impossible. To tell our clients otherwise is to misrepresent the space; to be aware of these inherent holes is to be prepared -- not negligent or irresponsible.

    On a higher, semantic level, true social media is, by its very nature, "uncontrollable" -- You of all people have been espousing since day one that pharma has to eventually own up to the reality that if it wants to fully participate in the medium, it'll have to some day be able to embrace genuine two-way communication. You routinely cite examples of pharma social media initiatives that fall far short of this aspirational goal. Your column provides best practices and recommendations to ultimately help get pharma to a point where it will be willing to understand and accept these central and immutable rules of social media engagement. But for now it’s crawling before walking, which is why pharma needs us.

    So back to Lesson #4, after I've hopefully provided some context: I (and everyone else on the tweetchat, it seemed) agreed with you in asserting that, despite the inherent risks, participants in social media initiatives must take full responsibility for their tactical execution, properly educate themselves on all that's involved, and sufficiently resource all such projects to ensure safety. The essential point here is that DESPITE and BECAUSE OF the inherently unpredictable nature of both digital and social media it behooves us all as healthcare communications specialists to have our knowledge, expertise, and builds as firmly and securely buttoned-up as possible.

    So no, John, I don’t advocate “social media chaos.” Everything I do each and every day is to thwart risk on the one hand, and on the other create innovative communication opportunities that hopefully help patients and physicians get the treatment solutions they need.

    That fair? (Thanks for your mention, btw)

    SPITZ

    ReplyDelete
  4. SPITZ,

    Thanks for putting your remark into context.

    On the day your comment was made, I was hearing a lot about the dangers of social media, blaming the INHERENT nature of the medium rather than the INCOMPETENCY of pharma and the agencies that work for them. If they all hired your agency, which seems more careful and competent, I think they would be better off!

    Relevant to this, see todays post about PR vs Interactive: http://bit.ly/ngMxnj

    ReplyDelete
  5. Hello, John. Thank you the agency compliments, but if you are going to shift your bromance from me to Spitz then I have a serious issue. You don't even send me DMs anymore. If that's how it is, then I might need to find another bird to follow. In fact, I have my eyes set on Peter Vesterbacka, Chief Eagle at Rovio, creator of Angry Birds. His feathers don't change color. :)

    Cheers, Fabio

    ReplyDelete
  6. Oh, Fabio, say it isn't so! Since you got married, we've lost touch. Don't let your wife know you're flirting and trying to get me to DM you!

    ReplyDelete