Pharma’s Social Challenge; or, What Pfizer Learned From Its Facebook Hack


Pfizer was compelled to take down its Facebook page after being hacked July 19th by U.K. hackers, The Script Kiddies, who claimed responsibility for the social misdeed on Twitter. The group’s grievance, apparently, is that (in their words) the pharma giant is “A Corrupt Corporate American Company guilty of cutting corners and killing people.” Such are the charming times we live in.

A screenshot of the hacked posts shows the Pfizer logo smeared in red (above) and information about Pfizer’s $2.3 billion settlement of a U.S. investigation of its drug-marketing practices in 2009. 

Hackers have been targeting government agencies and major corporations in the past several months — if you haven’t read about Operation Shady RAT, Vanity Fair has a good backgrounder — so the fear is this attack is just the tip of the online iceberg for Big Pharma, an industry that was already tiptoeing (read: reticent) to embrace social media.[more]

Just wait until August 15th, when a new Facebook rule will require pharma brand pages to enable user comments.

Pfizer’s VP Corporate Communications Raymond Kerins Jr. called the hack a “learning experience” (that’s putting it mildly) — but at least the brand isn’t shying away from Facebook.

“This environment is one that is dynamic and we’re watching very closely,” he commented to ClickZ about the post-hacking return of Pfizer to Facebook. “It’s really an important channel that patients and doctors have decided this is how they want to communicate.”

Meanwhile, fingers are pointing both ways as to the nature of the breach — security issue or Pfizer/pharma issue? “When we do find out what happened, we will share the learnings with other [pharma] companies,” said Kerins. “I don’t want this to happen to any other companies.”

Whoever commandeered Pfizer’s page would need a Facebook password, which might have been retrieved from a data dump site, Paste Bin, which lists compromised passwords posted by hacktivist such as LulzSec and Anonymous, according to Graham Cluley, senior technology consultant at global computer security firm Sophos, who’s also an avid blogger about security issues.

Hacker traces and Facebook forensics “make it unlikely the social network was responsible for the illicit entry,” Cluley commented to Medical Marketing & Media.

There was speculation that a WCG employee, the PR firm handling some corporate communications and interactive marketing duties for Pfizer, “was sloppy with his security,” he added. “If I were investigating this hack, the very first thing to do would be to look at the security of the page’s administrators and in particular their passwords. That’s where my money would be.”

He further noted that “30% of people use the same password for every single site they access,” so, “in this case the chap was responsible not only for his own online ID but for the brand of a very well-known company, so it’s done damage to [the brand].”

The Script Kiddies, who also hacked the Fox News Twitter feed last month, not only took credit for the Pfizer Pfacebook Pfreak-out but addressed the issue of blame on their Twitter feed: “So apparently, the articles are all claiming the security breach on Pfizer’s page was Facebook’s fault? No… thank Pfizer and Pfizer only,” and posted the picture (at top) of an agency employee they declared was the weak link that let them slip in. “Hint for next time: protect this company with a little better security.”

Beyond Pfizer beefing up its IT and digital (online, social, internal and agency) security, it also begs the question: what is Facebook doing to better protect their users’ pages from being hacked? And to give credit to Pfizer, the company has been more active than many in their industry in creating an online brand presence to engage consumers and their industry peers.

“We are committed to clear and transparent communication and, for that reason, Pfizer has maintained an industry-leading position in area of social and digital media for the last year or so,” said Kerins to Marketwatch.

The good news: Pzifer’s page was restored by the brand on July 20th with the message “We have been working with Facebook to understand what happened,” as one more chapter unfolds in the annals of yet untapped powers of social media in the hands of digitally savvy protesters.

The bad news: the Script Kiddies, which moved on to Verizon, Blackwater/Xe, Walmart and other brands, are taking suggestions today for other targets.