Burger King’s Twitter hijack: A checklist to avoid social media failure

Burger King became the latest victim of social media #fail this week after hijackers took over its Twitter account, replacing the avatar with McDonald’s logo and name and tweeting followers to buy from its fast food rival.

A tweet from the official account read: “Burger King USA official Twitter account. Just got sold to McDonalds because the whopper flopped.”

Additional tweets included photos of unhygienic kitchen conditions and mentions of rap artists whilst the background image was also changed to display McDonald’s products. According to media reports, the account was hijacked by hacking group Anonymous, the same collective responsible for taking down the Vatican website.

The account was quickly suspended followed by a statement from a Burger King spokesperson: “It has come to our attention that the Twitter account of BURGER KING(R) brand has been hacked. We have worked directly with administrators to suspend the account until we are able to re-establish our legitimate site and authentic postings.”

Burger King is the latest in a string of hijacked Twitter accounts, such as HMV’s employee take-over following redundancies and the case of Jeep.

This all serves to remind brands and their agency just how vulnerable social media accounts are, says Altimeter analyst Jeremiah Owyang, with most threats found to come from inside rather than external forces. Analysis of 50 social media crises by the research group showed that 76% of crises could have been minimized or avoided had companies been prepared internally.

In a new blog post, Jeremiah provides a list of potential points of failure that all companies must prepare for:

1. Management: Lack of password control. Burger King didn’t know who had access to the account or to the passwords. It is possible the same password was used across multiple accounts. Passwords need to be changed on a periodic basis.
2. Breach: Organized hackers can comprise any system. An organized hacker can find multiple methods of intrusion including passwords, social engineering, software, or apps.
3. Breach: Rogue employees or agency members (current or former). Without knowing who had access to the passwords, it is impossible to know if the account truly was hacked or if it was an a rogue employee, either current or former.  Many social software systems are not tied to Active Directory or LDAP systems.
4. Training and education: Lack of skills inside the organization. It isn’t clear that BK had the internal skills to actually manage the account, so they became dependent on an external firm. BK was highly dependent on an external agency to actually manage and control their twitter account.
5. Software: Security of Social Media Management System Software. Though it isn’t clear, it is possible that the SMMS system employed by BK could have been hacked. This could have led to other failures in other social media systems.
6. Software: Twitter and Facebook Apps.  A number of apps on the Twitter and Facebook platform may have multiple forms of data access, which could yield information that could yield passwords, API access, or sensitive information.
7. Software:  Twitter and Social Networks susceptible.  Twitter and Facebook themselves are targets from multiple intruders seeking to compromise systems. Recently, Twitter is under target from Chinese hackers as was Facebook, last week.
8. Security: Network Intrusion. General network or firewall intrusion through online, network infiltration at corporate, mobile phone, agency, or even at Twitter corp.

“Companies must analyze multiple points of failure and develop safeguards at each of the above listed steps. Start by sharing this checklist with internal legal risk and compliance teams, and operational social media teams, including agencies. Develop a process to test these at a regular basis and conduct social media fire drills with all constituents,” he concludes.

What do you think? Are there any other points of failure brands must consider?