Four Useful Lessons Pharma Can Learn from the Pfizer Facebook Hack

By now, you've probably heard that Pfizer's US corporate Facebook page was "hacked" by some "Kiddies" (see "Pfizer, If You Are So Smart, How Come You Were Hacked By 'Kiddies'?"). For several hours, the page was reconfigured to display messages and images from the hackers, including "**ATTENTION** Pfizer must be stopped. They're corrupt and the damage they create is senseless. Carelessness! Putting a scare on these blokes who deserve one...".

[The hackers may have targeted Pfizer because of its Nigerian litigation case. See "WikiLeaks: Pfizer Hired Investigators to Smear Nigerian Prosecutor in Press"]

Pfizer's FB page is now restored to its original state of corporate banality (see here). A message from Pfizer on the wall states:

"As you might have noticed, our Page was compromised last night. We have been working with Facebook to understand what happened so we can guard against it in the future. Thank you for your patience while our page has been down, and we are pleased to be sharing our news with you once more."

Several interactive agency experts who no doubt have Pfizer as a client are trying to focus the blame on Facebook. Bruce Grant, senior VP, business strategy, at Digitas Health, is on the record, quoted in MedAd Blog (see "Lessons from Pfizer Facebook hack").

According to MedAd, Grant "points out that the The Script Kiddies [the hackers] did not have a reasoned grievance against Pfizer [huh? see above], but were just repeating things they had found in the media. Pfizer was a 'villain of opportunity,' he says, and the hack was not something that Pfizer could have prevented, since the security issues were all on Facebook’s end."

Some biased observers (ie, consultants who currently work for Pfizer or may wish to work for Pfizer in the future) are reluctant to blame Pfizer and tend to shift the blame to Facebook. As I mentioned in yesterday's post, I believe Pfizer is to blame, not Facebook. As the hackers themselves said, it was easy for them to guess Pfizer's Facebook password.

What are the lessons should Pfizer and other pharma companies learn from this?

Grant suggests that when using social media, pharma companies must "control the conversation." He said: "Our advice is you don’t have a choice as to whether you have a page – your choice is whether you want to maintain appropriate control over the conversation."

I'm all in favor of having control over the conversation, but what exactly does that mean? It probably means different things to different pharma companies, which should have explicit policies in place defining what they mean by "appropriate" comments from users and what "controls" they have in place. To moderate or not to moderate, that is the question. For more on that, see "Moderation of Pharma Social Media Discussions" and links therein.

But, what are some USEFUL lessons Pfizer and other pharma companies should learn from this?

I had an interesting discussion relating to this during last night's #socpharm Twitter chat session (find the transcript here).

LESSON #1: Obviously, this first lesson is to IMPROVE your security measures. Contrary to the opinions expressed by observers such as Grant, Pfizer's security problems had nothing specifically to do with Facebook or social media. Pfizer used a WEAK password. The hackers said as much: "Hint for next time: protect the company with a LITTLE better security. One Google search and I'm in." I only hope that Pfizer uses robust passwords to gain access to its clinical trial data!

LESSON #2: Don't have technically naive people, such as corporate communications people, in charge of your social media campaigns. Pfizer even claims it has no FTEs devoted to social media (see my interview with Pixels & Pills' Sarah McLellan, here). This is a BIG mistake. When Pfizer first started its @pfizer_news twitter account, it was so unprofessional that many people thought it was a fake account. Because no one was monitoring Twitter full time for them, the conversation on Twitter proceeded without them as Ray Kerins, Pfizer's head of corporate communications, was in court fighting a traffic ticket!

BTW, Pfizer employs WeissComm Partners (WG) to manage its social media campaigns, including its Facebook page. In fact, the hackers identify Paul Dyer, who oversees the WCG social media team in North America, as the "guy in charge of this Facebook." Word is the hackers found hints to Pfizer's FB password in Dyer's LinkedIn profile (here). There, you will find that Dyer is a "Soccer player for life." Perhaps the secret password was "soccer"? Dyer's previous clients (at another agency) included Coors Light, New Balance, Hansen's Natural Soda, and PURE Bar.

LESSON #3: Don't outsource your social media projects to agencies that are even less technically savvy than you are. Take the case of Edelman creating a Facebook page for AstraZeneca (see "AstraZeneca Hosts 'Take on Depression' Facebook Discussion - Seroquel Lurks Behind the Scenes"). I was able to use Google Earth, WHOIS, etc. to discover personal information about the consultant hired by Edelman (hired by AZ) to program the discussion app on that page. If I were a hacker, the next step would have been to try and guess his password. Instead, I wrote about it and informed him of his security lapses. As a result, AstraZeneca was able to fix the problem before it became a problem.

LESSON #4: Don't blame others for your mistakes. We all are witnessing Ruppert Murdock blame his "trusted" underlings for the phone-hacking scandal in England. Similarly, we are hearing industry consultants blame Facebook for Pfizer's hack. The blame is even being extended to social media in general. @SpitzStrategy (VP, Digital Strategy at Ignite Health), for example, said "#pharma has to get used to things "going wrong" wtih SM -- that's its nature -- controlled chaos like all human communication" during last night's #scopharm chat (see here). This sends a message to other pharma companies that "shit happens" when you get involved with social media and it's OUT OF YOUR CONTROL. To which I say BULLSHIT! That is NOT the proper message to be sending to pharma. Own up to your mistakes and fix them. More importantly, don't tell us that you are working with Facebook to discover what happened and then share unspecific "lessons learned" with others.

To properly learn from these social media faux pas, pharma companies must first correctly assign blame. Let's see who Pfizer blames.

[This post originally appeared in Pharma Marketing Blog. 

Make sure you are reading the source to get the latest comments.]