Burger King’s Twitter account was hacked today, with the hacker turning the company’s Twitter page into an offensive mock-up of a McDonalds Twitter channel. An hour and fifteen minutes later, the account was suspended, but not before the news spread across the social media fishbowl at lightning speed.
As often happens, a huge amount of basement punditry has already begun. I’ve already had to call BS when I saw someone asserting that it took Burger King “too long” to address the situation.
Here’s what we do know:
- The Burger King account was hacked.
- The hacking occurred on a public holiday in the US and most of Canada.
- It took just over an hour to pull the account down.
Here’s what we do not know:
- If the hacker changed the password to prevent Burger King accessing the page.
- How robust Burger King’s security processes for their social media channels are.
- When Burger King’s team spotted the hack.
- Whether their community manager was anywhere near a computer when this happened – who knows if their community manager was out for a hike when this happened?
- Whether Burger King had a crisis plan for this kind of situation.
- How long it took for Burger King to take action on their end.
- If Burger King needed to go through Twitter to to pull the account down, how long it took them to respond.
- When this is all over, if this will have any impact on the brand whatsoever.
What I know from my experience in these kinds of situations with large brands:
- Situations like this are chaotic at the best of times. As Ed Truitt pointed out in a nice analogy, battle plans rarely survive the first encounter with the enemy.
- Holidays are prime time for hackers, as response times from companies tend to be longer. It can take time to reach people who aren’t officially working.
- The person manning one social channel may not be the same as the person manning another, meaning you may need to reach several people in order to respond.
- An hour is not a long timeframe in which to have a channel pulled down.
The only real gap I see at this point, as pointed out to me by Kami Huyse and Sara Patterson, is the lack of any public response so far. Social media crisis plans should include pre-approved boilerplate language for social media channels and other communications channels for situations like this. With that said, we’re talking a hacking of a relatively small account here – not a major crisis like a food safety recall or a company-caused fatality. Given the frequent separation of audiences between Facebook and Twitter, the company may have considered the option of posting elsewhere, and decided against it (again, we don’t know).
My point: Let’s hold off on the basement punditry. There’s a whole lot that we do not know, and very few things that we do know. Without someone with that knowledge filling in the blanks, all we can do is speculate.